Shorewall 1.4.8

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2003-12-02 23:51:46 +00:00 · 2003-12-02 23:51:46 +00:00 · c2ccd7fd3d
commit c2ccd7fd3d
parent 5466a7f35b
88 changed files with 11590 additions and 8983 deletions
--- a/Shorewall-docs/6to4.htm
+++ b/Shorewall-docs/6to4.htm
@ -1,69 +1,49 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>6to4 Tunnels</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-      
+<h1 style="text-align: center;">6to4 Tunnels<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
      <tbody>
       <tr>
        <td width="100%">                     
      <h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
        </td>
      </tr>
  </tbody>   
 </table>
 <h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
-  </h3>
+</h3>
-   
+<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
-<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
+Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
- only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
+provide any IPv6
 security measures.</h3>
-      
+<p>6to4 tunneling with Shorewall can be used to connect your IPv6
-<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
+network to another IPv6 network over an IPv4 infrastructure</p>
 to another IPv6 network over an IPv4 infrastructure</p>
 <p>More information on Linux and IPv6 can be found in the <a
 href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
 Details on how to setup a 6to4 tunnels are described in the section <a
 href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
-  of 6to4 tunnels</a>.</p>
+of 6to4 tunnels</a>.</p>
 <h2>Connecting two IPv6 Networks</h2>
 <p>Suppose that we have the following situation:</p>
 <p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
- width="745" height="427" alt="">
+ width="745" height="427" alt=""> </p>
-   </p>
+<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
-      
+be able to communicate with the systems in the 2002:488:999::/64
-<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
+network. This is accomplished through use of the /etc/shorewall/tunnels
- able to communicate with the systems in the 2002:488:999::/64 network. This
+file and the "ip" utility for network interface and routing
- is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
+configuration.</p>
- utility for network interface  and routing configuration.</p>
+<p align="left">Unlike GRE and IPIP tunneling, the
-      
+/etc/shorewall/policy, /etc/shorewall/interfaces and
-<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
+/etc/shorewall/zones files are not used. There is no need to declare a
- /etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
+zone to represent the remote IPv6 network. This
- is no need to declare a zone to  represent the remote IPv6 network. This
+remote network is not visible on IPv4 interfaces and to iptables. All
-remote network is not visible on IPv4 interfaces and to  iptables. All that
+that
-is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
+is visible on the IPv4 level is an IPv4 stream which contains IPv6
- Separate IPv6 interfaces and ip6tables rules need to be defined to handle
+traffic. Separate IPv6 interfaces and ip6tables rules need to be
 defined to handle
 this traffic. </p>
-       
+<p align="left">In /etc/shorewall/tunnels on system A, we need the
-<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
+following:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -77,27 +57,22 @@ this traffic. </p>
        <td>6to4</td>
        <td>net</td>
        <td>134.28.54.2</td>
-          <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-    </blockquote>
+</blockquote>
-      
+<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
-<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6 
+IPv6 encapsulation protocol (41) will be accepted to/from the remote
-  encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
+gateway.</p>
 <p>Use the following commands to setup system A:</p>
 <blockquote>
  <p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
-     &gt;ip link set dev tun6to4 up<br>
+&gt;ip link set dev tun6to4 up<br>
-     &gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
+&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
-     &gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
+&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
-    </blockquote>
+</blockquote>
 <p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -111,34 +86,28 @@ this traffic. </p>
        <td>6to4</td>
        <td>net</td>
        <td>206.191.148.9</td>
-          <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-    </blockquote>
+</blockquote>
 <p>And use the following commands to setup system B:</p>
 <blockquote>
  <p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
-     &gt;ip link set dev tun6to4 up<br>
+&gt;ip link set dev tun6to4 up<br>
-     &gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
+&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
-     &gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
+&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
-    </blockquote>
+</blockquote>
-       
+<p>On both systems, restart Shorewall and issue the configuration
-<p>On both systems, restart Shorewall and issue the configuration commands
+commands as listed above. The systems in both IPv6 subnetworks can now
- as  listed above. The systems in both IPv6 subnetworks can now talk to each
+talk to each other using IPv6.</p>
 other using IPv6.</p>
 <p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
- </font></p>
+</font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
-     <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/Banner.html
+++ b/Shorewall-docs/Banner.html
@ -0,0 +1,45 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <title>Banner</title>
  <meta name="author" content="Tom Eastep">
  <base target="main">
 </head>
 <body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
 link="#000099" vlink="#990099" alink="#000099">
 <table cellpadding="0"
 style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
 id="AutoNumber3">
  <tbody>
    <tr>
      <td style="text-align: center; width: 34%; vertical-align: top;">
      <div align="center"> <img src="images/Logo1.png"
 alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
 align="middle" title=""> </div>
      </td>
      <td style="vertical-align: top;">
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch"
 style="background-color: rgb(51, 102, 255);"> <strong><font
 color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
 is unavailable Daily 0200-0330 GMT.</font><br>
        <strong></strong>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
        <font face="Arial" size="-1"> <input type="text" name="words"
 size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
 type="hidden" name="format" value="long"> <input type="hidden"
 name="method" value="and"> <input type="hidden" name="config"
 value="htdig"> <input type="submit" value="Search"><b><font
 color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
 href="http://lists.shorewall.net/htdig/search.html"
 style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
        <font face="Arial"> <input type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
      </td>
    </tr>
  </tbody>
 </table>
 </body>
 </html>
--- a/Shorewall-docs/CorpNetwork.htm
+++ b/Shorewall-docs/CorpNetwork.htm
@ -1,285 +1,229 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <html>
 <head>
- <!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
+<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
  <title>Corporate Shorewall Configuration</title>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta content="Microsoft FrontPage 5.0" name="GENERATOR">
  <meta content="FrontPage.Editor.Document" name="ProgId">
  <meta content="none" name="Microsoft Theme">
  <meta content="Graeme Boyle" name="author">
 </head>
-  <body>
+<body>
 <script><!--
 function PrivoxyWindowOpen(){return(null);}
 //--></script>
 <table id="AutoNumber1" style="border-collapse: collapse;" height="90"
 cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
 border="0">
    <tbody>
    <tr>
      <td width="100%">              
      <h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
       Servers</font></h1>
       </td>
     </tr>
  </tbody> 
 </table>
 <blockquote></blockquote>
-   
+<h1 style="text-align: center;">Corporate Network</h1>
 <h1>Corporate Network</h1>
 <p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
 color="#ff0000"><b>:</b></font></big></p>
 <blockquote>
  <ul>
    <li><b>This configuration is used on a corporate network that has a
-Linux      (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5 
+Linux (RedHat 8.0) server with three interfaces, running Shorewall
-     release,</b>      </li>
+1.4.5 release,</b> </li>
-     <li><b>Make sure you know what public IP addresses are currently being 
+    <li><b>Make sure you know what public IP addresses are currently
-used      and verify these </b><i>before</i><b> starting.</b>      </li>
+being used and verify these </b><i>before</i><b> starting.</b> </li>
-     <li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall 
+    <li><b>Verify your DNS settings </b><i>before</i><b> starting any
-     configuration especially if you have split DNS.</b>      </li>
+Shorewall configuration especially if you have split DNS.</b> </li>
-     <li><b>System names and Internet IP addresses have been changed to protect 
+    <li><b>System names and Internet IP addresses have been changed to
-     the innocent.</b> </li>
+protect the innocent.</b> </li>
  </ul>
-       
+  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
-  <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This    configuration
+configuration
-uses a combination of Static NAT and Proxy ARP. This is    generally not
+uses a combination of One-to-one NAT and Proxy ARP. This is generally
 not
 relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
 If you have just a single public IP address, most of what you see here
-won't apply to your setup so beware of    copying parts of this configuration
+won't apply to your setup so beware of copying parts of this
 configuration
 and expecting them to work for you. What you copy may or may not work
 in your configuration.<br>
  </small></b></big><br>
  </p>
  <p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
 internet is connected to eth0. The local network is connected via eth1
-(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have 
+(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
-an    IPSec tunnel connecting our offices in Germany to our offices in the 
+have an IPSec tunnel connecting our offices in Germany to our offices
-US. I    host two Microsoft Exchange servers for two different companies behind
+in the US. I host two Microsoft Exchange servers for two different
 companies behind
 the firewall hence, the two Exchange servers in the diagram below.</p>
  <p>Summary:<br>
  </p>
  <ul>
    <li>SNAT for all systems connected to the LAN - Internal addresses
 10.10.x.x to external address 192.0.18.127. </li>
-     <li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address 
+    <li>One-to-one NAT for <i>Polaris</i> (Exchange Server #2).
-     10.10.1.8 and external address 192.0.18.70.      </li>
+Internal
-     <li>Static NAT for <i>Sims</i> (Inventory Management server). Internal 
+address 10.10.1.8 and external address 192.0.18.70. </li>
-     address 10.10.1.56 and external address 192.0.18.75.<br>
+    <li>One-to-one NAT for <i>Sims</i> (Inventory Management server).
 Internal address 10.10.1.56 and external address 192.0.18.75.<br>
    </li>
-     <li>Static NAT for <i>Project</i> (Project Web Server). Internal address 
+    <li>One-to-one NAT for <i>Project</i> (Project Web Server).
-     10.10.1.55 and external address 192.0.18.84.      </li>
+Internal
-     <li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address 
+address 10.10.1.55 and external address 192.0.18.84. </li>
-     10.10.1.252 and external address 192.0.18.93.      </li>
+    <li>One-to-one NAT for <i>Fortress</i> (Exchange Server). Internal
-     <li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address 
+address 10.10.1.252 and external address 192.0.18.93. </li>
-     10.10.1.230 and external address 192.0.18.97.      </li>
+    <li>One-to-one NAT for <i>BBSRV</i> (Blackberry Server). Internal
-     <li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address 
+address 10.10.1.230 and external address 192.0.18.97. </li>
-     10.10.1.60 and external address 192.0.18.115. </li>
+    <li>One-to-one NAT for <i>Intweb</i> (Intranet Web Server).
-   
+Internal
 address 10.10.1.60 and external address 192.0.18.115. </li>
  </ul>
-       
+  <p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
-  <p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with 
+with RH8.0.</p>
  RH8.0.</p>
  <p>The Firewall is also a proxy server running Privoxy 3.0.</p>
-       
+  <p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
-  <p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap, 
+imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
-   pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That 
+1.1.0). That server is managed through Proxy ARP.</p>
-server    is managed through Proxy ARP.</p>
+  <p>All administration and publishing is done using ssh/scp. I have X
-       
+installed on the firewall and the system in the DMZ. X applications
-  <p>All administration and publishing is done using ssh/scp. I have X installed 
+tunnel through SSH to Hummingbird Exceed running on a PC located in the
-   on the firewall and the system in the DMZ. X applications tunnel through 
+LAN. Access to the firewall using SSH is restricted to systems in the
-SSH    to Hummingbird Exceed running on a PC located in the LAN. Access to 
+LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
 the    firewall using SSH is restricted to systems in the LAN, DMZ or the 
 system Kaos    which is on the Internet and managed by me.</p>
  <p align="center"><img height="1000" alt="(Corporate Network Diagram)"
- src="images/CorpNetwork.gif" width="770" border="0">
+ src="images/CorpNetwork.gif" width="770" border="0"> </p>
  </p>
  <p></p>
-       
+  <p>The Ethernet 0 interface in the Server is configured with IP
-  <p>The Ethernet 0 interface in the Server is configured with IP address 
+address 192.0.18.68, netmask 255.255.255.192. The server's default
-   192.0.18.68, netmask 255.255.255.192. The server's default gateway is 
+gateway is 192.0.18.65, the Router connected to my network and the ISP.
-  192.0.18.65, the Router connected to my network and the ISP. This is the 
+This is the same default gateway used by the firewall itself. On the
-   same default gateway used by the firewall itself. On the firewall, Shorewall 
+firewall, Shorewall automatically adds a host route to 192.0.18.80
-   automatically adds a host route to 192.0.18.80 through Ethernet 2    (192.168.21.1) 
+through Ethernet 2 (192.168.21.1) because of the entry in
-because of the entry in /etc/shorewall/proxyarp (see below). I    modified 
+/etc/shorewall/proxyarp (see below). I modified the start, stop and
-the start, stop and init scripts to include the fixes suggested when    having 
+init scripts to include the fixes suggested when having an IPSec tunnel.</p>
 an IPSec tunnel.</p>
  <p><b>Some Mistakes I Made:</b></p>
-       
+  <p>Yes, believe it or not, I made some really basic mistakes when
-  <p>Yes, believe it or not, I made some really basic mistakes when building 
+building this firewall. Firstly, I had the new firewall setup in
-   this firewall. Firstly, I had the new firewall setup in parallel with the
+parallel with the
 old firewall so that there was no interruption of service to my users.
 During my out-bound testing, I set up systems on the LAN to utilize the
-firewall which    worked fine. When testing my NAT connections, from the outside,
+firewall which worked fine. When testing my NAT connections, from the
 outside,
 these would fail and I could not understand why. Eventually, I changed
-the default route    on the internal system I was trying to access, to point
+the default route on the internal system I was trying to access, to
-to the new firewall    and "bingo", everything worked as expected. This oversight
+point
-delayed my    deployment by a couple of days not to mention level of frustration
+to the new firewall and "bingo", everything worked as expected. This
 oversight
 delayed my deployment by a couple of days not to mention level of
 frustration
 it produced. </p>
-       
+  <p>Another problem that I encountered was in setting up the Proxyarp
-  <p>Another problem that I encountered was in setting up the Proxyarp system 
+system in the DMZ. Initially I forgot to remove the entry for the eth2
-in    the DMZ. Initially I forgot to remove the entry for the eth2 from the 
+from the /etc/shorewall/masq file. Once my file settings were correct,
-   /etc/shorewall/masq file. Once my file settings were correct, I started 
+I started verifying that the ARP caches on the firewall, as well as the
-   verifying that the ARP caches on the firewall, as well as the outside system
+outside system "kaos", were showing the correct Ethernet MAC address.
-   "kaos", were showing the correct Ethernet MAC address. However, in testing
+However, in testing remote access, I could access the system in the DMZ
-   remote access, I could access the system in the DMZ only from the firewall
+only from the firewall
-and    LAN but not from the Internet. The message I received was "connection
+and LAN but not from the Internet. The message I received was
 "connection
 denied" on all protocols. What I did not realize was that a "helpful"
-administrator    that had turned on an old system and assigned the same address
+administrator that had turned on an old system and assigned the same
-as the one I    was using for Proxyarp without notifying me. How did I work
+address
-this out. I    shutdown the system in the DMZ, rebooted the router and flushed
+as the one I was using for Proxyarp without notifying me. How did I
-the ARP cache    on the firewall and kaos. Then, from kaos, I started pinging
+work
 this out. I shutdown the system in the DMZ, rebooted the router and
 flushed
 the ARP cache on the firewall and kaos. Then, from kaos, I started
 pinging
 that IP address and checked the updated ARP cache and lo-and-behold a
 different MAC address showed up. High levels of frustration etc., etc.
 The administrator will <i>not</i> be doing that again! :-)</p>
  <p><b>Lessons Learned:</b></p>
  <ul>
    <li>Read the documentation. </li>
    <li>Draw your network topology before starting. </li>
-     <li>Understand what services you are going to allow in and out of the 
+    <li>Understand what services you are going to allow in and out of
-     firewall, whether they are TCP or UDP packets and make a note of these 
+the firewall, whether they are TCP or UDP packets and make a note of
-port      numbers.      </li>
+these port numbers. </li>
    <li>Try to get quiet time to build the firewall - you need to focus
 on the job at hand. </li>
-     <li>When asking for assistance, be honest and include as much detail 
+    <li>When asking for assistance, be honest and include as much
-as      requested. Don't try and hide IP addresses etc., you will probably 
+detail as requested. Don't try and hide IP addresses etc., you will
-screw up      the logs and make receiving assistance harder.      </li>
+probably screw up the logs and make receiving assistance harder. </li>
    <li>Read the documentation. </li>
  </ul>
  <p><b>Futures:</b></p>
-       
+  <p>This is by no means the final configuration. In the near future, I
-  <p>This is by no means the final configuration. In the near future, I will 
+will be moving more systems from the LAN to the DMZ. I will also be
-be    moving more systems from the LAN to the DMZ. I will also be watching 
+watching the logs for port scan programs etc. but, this should be
-the logs    for port scan programs etc. but, this should be standard security 
+standard security maintenance.</p>
-   maintenance.</p>
+  <p>Here are copies of my files. I have removed most of the internal
-       
+documentation
  <p>Here are copies of my files. I have removed most of the internal    documentation
 for the purpose of this space however, my system still has the original
 files with all the comments and I highly recommend you do the same.</p>
- </blockquote>
+</blockquote>
 <h3>Shorewall.conf</h3>
 <blockquote>
  <pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
- </blockquote>
+</blockquote>
 <h3>Zones File</h3>
 <blockquote>
  <pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
 face="Courier" size="2"><br></font></pre>
- </blockquote>
+</blockquote>
 <h3>Interfaces File: </h3>
 <blockquote>
  <p>##############################################################################<br>
- #ZONE    INTERFACE BROADCAST OPTIONS<br>
+#ZONE INTERFACE BROADCAST OPTIONS<br>
- net eth0 62.123.106.127    routefilter,norfc1918,blacklist,tcpflags<br>
+net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
- loc eth1 detect    dhcp,routefilter<br>
+loc eth1 detect dhcp,routefilter<br>
- dmz eth2 detect<br>
+dmz eth2 detect<br>
- vpn1 ipsec0<br>
+vpn1 ipsec0<br>
- #LAST LINE -- ADD YOUR    ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
- </blockquote>
+</blockquote>
 <h3>Routestopped File:</h3>
 <blockquote>
  <pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
 face="Courier" size="2">	</font></pre>
- </blockquote>
+</blockquote>
 <h3>Policy File:</h3>
 <blockquote>
  <pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
- </blockquote>
+</blockquote>
 <h3>Masq File: </h3>
 <blockquote>
  <pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
- </blockquote>
+</blockquote>
 <h3>NAT File: </h3>
 <blockquote>
  <pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
- </blockquote>
+</blockquote>
 <h3>Proxy ARP File:</h3>
 <blockquote>
  <pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE     	</font></pre>
- </blockquote>
+</blockquote>
 <h3>Tunnels File:</h3>
 <blockquote>
  <pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
- </blockquote>
+</blockquote>
 <h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
 <blockquote>
  <pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
- </blockquote>
+</blockquote>
 <h3>Start File:</h3>
 <blockquote>
  <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
- </blockquote>
+</blockquote>
 <h3>Stop File:</h3>
 <blockquote>
  <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
- </blockquote>
+</blockquote>
 <h3>Init File:</h3>
 <blockquote>
  <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
- </blockquote>
+</blockquote>
-   
+<p><font size="2">Last updated 11/13/2003</font>
 <p><font size="2">Last updated 7/16/2003</font>  
 <script><!--
 function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
-//</script>
+//</script><br>
-  <br>
+</p>
- </p>
+<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
-   
+and
 <p><small><a href="GnuCopyright.htm">Copyright  2003 Thomas M. Eastep and
 Graeme Boyle</a></small><br>
- </p>
+</p>
- <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/Documentation.htm
+++ b/Shorewall-docs/Documentation.htm
@ -12,17 +12,8 @@
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall 1.4 Reference<br>
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
+</h1>
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h2 align="center">This documentation is intended primarily for
 reference. Step-by-step instructions for configuring Shorewall in
 common setups may be found in the <a
@ -66,7 +57,11 @@ field in packets is to be set.<br>
  <li><b><a href="#Scripts">common.def</a></b> -- a parameter file
 installed in in /etc/shorewall that defines firewall-wide rules that
 are applied before a DROP or REJECT policy is applied.</li>
-  <li><b> <a href="#Interfaces">interfaces</a> </b> -- a parameter
+  <li><span style="font-weight: bold;">init.sh </span>-- a shell
 script installed in /etc/init.d to automatically start Shorewall during
 boot.<br>
    <b> </b></li>
  <li><b><a href="#Interfaces">interfaces</a> </b> -- a parameter
 file installed in /etc/shorewall/ and used to describe the interfaces
 on the firewall system.</li>
  <li><a href="#Hosts"><b> hosts</b> </a>-- a parameter file installed
@ -78,15 +73,12 @@ possibly also the IP address(es)) of devices.<br>
  </li>
  <li><b> <a href="#Masq">masq</a></b> - This file also describes IP
 masquerading under Shorewall and is installed in /etc/shorewall.</li>
-  <li><b><a href="shorewall_firewall_structure.htm">firewall</a></b> --
+  <li><b>firewall</b> --
 a shell program that reads the configuration files in /etc/shorewall
-and configures your firewall. This file is installed in your init.d
+and configures your firewall. This file is installed in
-directory (/etc/rc.d/init.d ) where it is renamed <i>shorewall.</i>
+/usr/share/shorewall.</li>
 /etc/shorewall/firewall (/var/lib/shorewall/firewall in versions
 1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 and later) is a
 symbolic link to this program.</li>
  <li><b> <a href="#NAT">nat</a></b> -- a parameter file in
-/etc/shorewall used to define <a href="#NAT"> static NAT</a> .</li>
+/etc/shorewall used to define <a href="#NAT">one-to-one NAT</a> .</li>
  <li><b> <a href="#ProxyArp">proxyarp</a></b> -- a parameter file in
 /etc/shorewall used to define <a href="#ProxyArp"> Proxy Arp</a> .</li>
  <li><b><a href="#rfc1918">rfc1918</a></b> -- a parameter file in
@ -1190,6 +1182,13 @@ header-rewriting rule.<br>
      </li>
      <li>LOG - Log the packet -- requires
 a syslog level (see below).</li>
      <li>QUEUE - Forward the packet to a user-space application. This
 facility is provided to allow interfacing to <a
 href="http://p2pwall.sourceforge.net">ftwall</a> for <a
 href="Shorewall_and_Kazaa.html">Kazaa filtering</a>. Note: When the
 protocol specified in the PROTO column is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
    </ul>
    <p>Beginning with Shorewall version 1.4.7, you may rate-limit the
 rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
@ -2253,16 +2252,20 @@ following (I haven't tried it):</p>
 <p>In /etc/shorewall/start, include:</p>
 <p> qt service ipsec start</p>
 <h2><font color="#660066"><b><a name="NAT"></a> </b></font>/etc/shorewall/nat</h2>
-<p>The /etc/shorewall/nat file is used to define static NAT. There is
+<p>The /etc/shorewall/nat file is used to define one-to-one NAT. There
-one entry in the file for each static NAT relationship that you wish to
+is
 one entry in the file for each one-to-one NAT relationship that you
 wish to
 define. In order to make use of this feature, you must have <a
 href="#NatEnabled">NAT enabled</a> .</p>
 <p> <font color="#ff0000"> <b>IMPORTANT: If all you want to do is
 forward ports to servers behind your firewall, you do NOT want to use
-static NAT. Port forwarding can be accomplished with simple entries in
+one-to-one NAT. Port forwarding can be accomplished with simple entries
 in
 the <a href="#Rules"> rules file</a>. Also, in most cases <a
- href="#ProxyArp"> Proxy ARP</a> provides a superior solution to static
+ href="#ProxyArp"> Proxy ARP</a> provides a superior solution to
-NAT because the internal systems are accessed using the same IP address
+one-to-one NAT because the internal systems are accessed using the same
 IP address
 internally and externally.</b></font></p>
 <p>Columns in an entry are:</p>
 <ul>
@ -2465,7 +2468,8 @@ individual rule for each listed port or port range. </p>
  <li><b>NAT_BEFORE_RULES</b><br>
 If set to "No" or "no", port forwarding rules can override the contents
 of the <a href="#NAT">/etc/shorewall/nat</a> file. If set to "Yes" or
-"yes", port forwarding rules cannot override static NAT. If not set or
+"yes", port forwarding rules cannot override one-to-one NAT. If not set
 or
 set to an empty value,
 "Yes" is assumed.</li>
  <li><b>FW<br>
@ -2515,7 +2519,7 @@ this parameter is now automatically detected by Shorewall)<br>
 This parameter determines whether Shorewall supports NAT operations.
 NAT operations include:<br>
    <br>
-Static NAT<br>
+One-to-one NAT<br>
 Port Forwarding<br>
 Port Redirection<br>
 Masquerading<br>
@ -2842,7 +2846,7 @@ Validation Documentation</a>.<br>
 <h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
 This file is described in the <a href="ECN.html">ECN Control
 Documentation</a>.<br>
-<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
+<p><font size="-1"> Updated 11/15/2003 - <a href="support.htm">Tom
 Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
--- a/Shorewall-docs/ECN.html
+++ b/Shorewall-docs/ECN.html
@ -2,65 +2,51 @@
 <html>
 <head>
  <title>Shorewall and ECN</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-  <body>
+<body>
- 
+<br>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">ECN<br>
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
+</h1>
- bgcolor="#3366ff" height="90">
+Explicit Congestion Notification (ECN) is described in RFC 3168 and is
-                                                        <tbody>
+a proposed internet standard. Unfortunately, not all sites support ECN
-                                                         <tr>
+and when
-                                                          <td
+a TCP connection offering ECN is sent to sites that don't support it,
- width="100%">                   
+the
      <h1 align="center"><font color="#ffffff">ECN</font></h1>
                                                          </td>
                                                        </tr>
  </tbody>  
 </table>
 <br>
 Explicit Congestion Notification (ECN) is described in RFC 3168 and is a 
 proposed internet standard. Unfortunately, not all sites support ECN and when
 a TCP connection offering ECN is sent to sites that don't support it, the
 result is often that the connection request is ignored.<br>
- <br>
+<br>
- To allow ECN to be used, Shorewall allows you to enable ECN on your Linux 
+To allow ECN to be used, Shorewall allows you to enable ECN on your
-systems then disable it in your firewall when the destination matches a list 
+Linux systems then disable it in your firewall when the destination
-that you create (the /etc/shorewall/ecn file).<br>
+matches a list that you create (the /etc/shorewall/ecn file).<br>
- <br>
+<br>
- You enable ECN by<br>
+You enable ECN by<br>
- <br>
+<br>
 <blockquote>
  <pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
- </blockquote>
+</blockquote>
- You must arrange for that command to be executed at system boot. Most distributions 
+You must arrange for that command to be executed at system boot. Most
-have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
+distributions have a method for doing that -- on RedHat, you make an
- <br>
+entry in /etc/sysctl.conf.<br>
- 
+<br>
 <blockquote>
  <pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
- </blockquote>
+</blockquote>
- Entries in /etc/shorewall/ecn have two columns as follows:<br>
+Entries in /etc/shorewall/ecn have two columns as follows:<br>
- <br>
+<br>
- INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
+INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
- <br>
+<br>
- HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or subnet) 
+HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or
-of a system or group of systems accessed through the &nbsp;interface in the 
+subnet) of a system or group of systems accessed through the
-first column. You may include a comma-separated list of such addresses in 
+&nbsp;interface in the first column. You may include a comma-separated
-this column. <br>
+list of such addresses in this column. <br>
- <br>
+<br>
- Example: Your external interface is eth0 and you want to disable ECN for 
+Example: Your external interface is eth0 and you want to disable ECN
-tcp connections to 192.0.2.0/24:<br>
+for tcp connections to 192.0.2.0/24:<br>
- <br>
+<br>
- In /etc/shorewall/ecn:<br>
+In /etc/shorewall/ecn:<br>
- <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -76,16 +62,15 @@ tcp connections to 192.0.2.0/24:<br>
        <td valign="top">192.0.2.0/24<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
- </blockquote>
+</blockquote>
- <font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom    Eastep</a></font>
+<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
-   
+Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  </p>
+</p>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/FAQ.htm
+++ b/Shorewall-docs/FAQ.htm
@ -10,20 +10,11 @@
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall FAQs<br>
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h1>Looking for Step by Step Configuration Instructions? Check out the <a
 href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
 </h1>
 <h2>Looking for Step by Step Configuration Instructions? Check out the <a
 href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
 </h2>
 <h1>PORT FORWARDING<br>
 </h1>
 <p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b>
@ -41,8 +32,8 @@ connection
 to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
 </p>
 <p align="left"><span style="font-weight: bold;">30.<a
- href="file:///vfat/Shorewall-docs/FAQ.htm#faq30"> </a></span><a
+ href="FAQ.htm#faq30"> </a></span><a href="FAQ.htm#faq30">I'm confused
- href="#faq30">I'm confused about <span style="font-weight: bold;">when</span>
+about <span style="font-weight: bold;">when</span>
 to use <span style="font-weight: bold;">DNAT</span> rules <span
 style="font-weight: bold;">and when</span> to use <span
 style="font-weight: bold;">ACCEPT</span> rules. </a> </p>
@ -53,7 +44,7 @@ requests to www.mydomain.com (IP 130.151.100.69)
 to system 192.168.1.5 in my local network. <b>External clients can
 browse</b> http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
 <p align="left"><b>2a. </b><a href="#faq2a">I have a zone "Z" with an
-RFC1918 subnet and I use <b>static NAT</b> to
+RFC1918 subnet and I use <b>one-to-one NAT</b> to
 assign non-RFC1918 addresses to hosts in Z.
 Hosts in Z cannot communicate with each other using their external
 (non-RFC1918 addresses) so they <b>can't access
@ -109,6 +100,11 @@ getting <b>logged?</b></a><br>
 <b><br>
 21. </b><a href="#faq21">I see these <b>strange log entries </b>occasionally;
 what are they?</a><br>
 <h1>ROUTING</h1>
 <span style="font-weight: bold;">32. </span><a href="#faq32">My
 firewall has <span style="font-weight: bold;">two connections to the
 internet from two different ISPs</span>. How do I set this up in
 Shorewall?</a><br>
 <h1>STARTING AND STOPPING<br>
 </h1>
 <p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
@ -140,6 +136,9 @@ your <b>web site</b>?</a><br>
 <b><br>
 25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
 I am <b>running</b>?</a><br>
 <br>
 <span style="font-weight: bold;">31. </span><a href="#faq31">Does
 Shorewall provide protection against...</a><br>
 <h1>RFC 1918<br>
 </h1>
 <p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable
@ -173,7 +172,15 @@ only<b> from specific IP Addresses</b> on the internet?</a><br>
 options in nmap</b> on or behind the firewall, I get "<b>operation not
 permitted</b>". How can I use nmap with Shorewall?"</a><br>
 <br>
-<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my
+<b><span style="font-weight: bold;">26a.&nbsp; </span></b><a
 href="#faq26a">When I try
 to use the <span style="font-weight: bold;">"-O" option of nmap</span>
 from the firewall system, I get "<span style="font-weight: bold;">operation
 not permitted". </span>How to I allow this option?</a><b><span
 style="font-weight: bold;"><a href="#faq26a"> </a><br>
 <br>
 </span>27. </b><a href="#faq27">I am compiling a <b>new kernel</b>
 for my
 firewall<b>.</b> What should I look out for?</a><br>
 <br>
 <b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
@ -282,8 +289,9 @@ three things:</p>
 <ul>
  <li>You are trying to test from inside your firewall (no, that won't
 work -- see <a href="#faq2">FAQ #2</a>).</li>
-  <li>You have a more basic problem with your local system such as an
+  <li>You have a more basic problem with your local system (the one
-incorrect default gateway configured (it should be set to the IP
+that you are trying to forward to) such as an
 incorrect default gateway (it should be set to the IP
 address of your firewall's internal interface).</li>
  <li>Your ISP is blocking that particular port inbound.<br>
  </li>
@ -306,8 +314,9 @@ packet count in the first column non-zero? If so, the connection
 request is reaching the firewall and is being redirected to the server.
 In this case, the problem is
 usually a missing or incorrect default gateway setting
-on the server (the server's default gateway should be the
+on the local system (the system you are trying to forward to -- its
-IP address of the firewall's interface to the server).</li>
+default gateway should be the
 IP address of the firewall's interface to that system).</li>
  <li>If the
 packet count is zero:</li>
  <ul>
@ -328,6 +337,7 @@ ethereal to further diagnose the problem.<br>
 want to connect to port 1022 on my firewall and have the firewall
 forward the connection to port 22 on local system 192.168.1.3. How do I
 do that?</h4>
 In /etc/shorewall/rules:<br>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -377,7 +387,7 @@ Firewall, of course :-)</li>
 using a separate DNS server for local clients) such that
 www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5
 internally. That's what I do here at shorewall.net for my local systems
-that use static NAT.</li>
+that use one-to-one NAT.</li>
 </ul>
 <p align="left">If you insist on an IP solution to the accessibility
 problem rather than a DNS solution, then assuming that your external
@ -401,7 +411,7 @@ please upgrade to Shorewall 1.4.2 or later.<br>
  <li>In /etc/shorewall/interfaces:</li>
 </ul>
 <blockquote>
-  <table cellpadding="2" cellspacing="0" border="1">
+  <table cellpadding="2" border="1">
    <tbody>
      <tr>
        <td valign="top">ZONE<br>
@ -507,7 +517,8 @@ DHCP/PPPoE client to automatically restart Shorewall each time that you
 get a new IP address.</p>
 </div>
 <h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an
-RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to
+RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses
 to
 hosts in Z. Hosts in Z cannot communicate with each other using their
 external (non-RFC1918 addresses) so they can't access each other using
 their DNS names.</h4>
@ -521,7 +532,7 @@ solved using Bind Version 9 "views". It allows
 both external and internal clients to access
 a NATed host using the host's DNS name.</p>
 <p align="left">Another good way to approach this problem is to switch
-from static NAT to Proxy ARP. That way, the
+from one-to-one NAT to Proxy ARP. That way, the
 hosts in Z have non-RFC1918 addresses and can
 be accessed externally and internally using the same address.</p>
 <p align="left">If you don't like those solutions and prefer routing
@ -984,9 +995,44 @@ cause of packets being logged in the FORWARD chain.<br>
  </li>
  <li><b>logflags </b>- The packet is being logged because it failed
 the checks implemented by the <b>tcpflags </b><a
- href="Documentation.htm#Interfaces">interface option</a>.<br>
+ href="Documentation.htm#Interfaces">interface option</a>.</li>
  </li>
 </ol>
 <p align="left">Here is an example:</p>
 <font face="Century Gothic, Arial, Helvetica">
 <p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
 Shorewall:<span style="text-decoration: underline;">all2all:REJECT</span>:<span
 style="text-decoration: underline;">IN=eth2</span> <span
 style="text-decoration: underline;">OUT=eth1</span> <span
 style="text-decoration: underline;">SRC=192.168.2.2</span>
 <span style="text-decoration: underline;">DST=192.168.1.3</span> LEN=67
 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF <span
 style="text-decoration: underline;">PROTO=UDP</span>
 SPT=1803 <span style="text-decoration: underline;">DPT=53</span> LEN=47</font></p>
 </font>
 <p align="left">Let's look at the important parts of this message:</p>
 <ul>
  <li>all2all:REJECT - This packet was REJECTed out of the <span
 style="font-weight: bold;">all2all</span> chain -- the packet
 was rejected under the "all"-&gt;"all"
 REJECT policy (number 3 above).</li>
  <li>IN=eth2 - the packet entered the firewall via eth2. If you see
 "IN=" with no interface name, the packet originated on the firewall
 itself.<br>
  </li>
  <li>OUT=eth1 - if accepted, the packet would be sent on eth1. If you
 see "OUT=" with no interface name, the packet would be processed by the
 firewall itself.<br>
  </li>
  <li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
  <li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
  <li>PROTO=UDP - UDP Protocol</li>
  <li>DPT=53 - The destination port is 53 (DNS)<br>
  </li>
 </ul>
 <p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
 192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
 &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
 loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53
 <h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip
 addresses</b> with Shorewall, and maintain separate rulesets for
 different IPs?</h4>
@ -1079,13 +1125,22 @@ Shorewall</b> I am <b>running</b>?<br>
 At the shell prompt, type:<br>
 <br>
 <font color="#009900"><b> /sbin/shorewall
-version</b></font><br>
+version<br>
 </b></font>
 <h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
 options in nmap on or behind the firewall, I get "operation not
 permitted".
 How can I use nmap with Shorewall?"</h4>
 Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
 "NEWNOTSYN=Yes" then restart Shorewall.<br>
 <br>
 <h4><a name="faq26a"></a><b><span style="font-weight: bold;">26a.&nbsp;
 </span></b>When I try to use the <span style="font-weight: bold;">"-O"
 option of nmap</span> from the firewall system, I get "<span
 style="font-weight: bold;">operation not permitted". </span>How to I
 allow this option?</h4>
 Add this command to your /etc/shorewall/start file:<br>
 <pre style="margin-left: 40px;"><tt>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</tt><br></pre>
 <h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
 What
 should I look out for?</a></h4>
@ -1118,8 +1173,208 @@ to allow connections from the internet to your local network. In all
 other cases, you use ACCEPT unless you need to hijack connections as
 they go through your firewall and handle them on the firewall box
 itself; in that case, you use a REDIRECT rule.<br>
 <h4><a name="faq31"></a>31. Does Shorewall provide protection
 against....</h4>
 <ol>
  <li>IP Spoofing: Sending packets over the WAN interface using an
 internal LAP IP address as the source address? <span
 style="font-weight: bold;">Answer: </span>Yes.</li>
  <li>Tear Drop: Sending packets that contain overlapping fragments? <span
 style="font-weight: bold;">Answer: </span>This is the responsibility
 of the IP stack, not the Netfilter-based firewall since fragment
 reassembly occurs before the stateful packet filter ever touches each
 packet.</li>
  <li>Smurf and Fraggle: Sending packets that use the WAN or LAN
 broadcast address as the source address? <span
 style="font-weight: bold;">Answer: </span>Shorewall can be configured
 to do that using the <a href="blacklisting_support.htm">blacklisting</a>
 facility.</li>
  <li>Land Attack: Sending packets that use the same address as the
 source and destination address? <span style="font-weight: bold;">Answer:
    </span>Yes, if the <a href="Documentation.htm#Interfaces">routefilter
 interface option</a> is selected.</li>
  <li>DOS:<br>
 &nbsp;&nbsp; - SYN Dos<br>
 &nbsp;&nbsp; - ICMP Dos<br>
 &nbsp;&nbsp; - Per-host Dos protection<br>
    <span style="font-weight: bold;">Answer: </span>Shorewall has
 facilities for limiting SYN and ICMP packets. Netfilter as included in
 standard Linux kernels doesn't support per-remote-host limiting except
 by explicit rule that specifies the host IP address; that form of
 limiting is supported by Shorewall.</li>
 </ol>
 <h4><a name="faq32"></a><span style="font-weight: bold;">32. </span>My
 firewall has two connections to the internet from two different ISPs.
 How do I set this up in Shorewall?</h4>
 Setting this up in Shorewall is easy; setting up the routing is a bit
 harder.<br>
 <br>
-<font size="2">Last updated 10/04/2003 - <a href="support.htm">Tom
+Assuming that eth0 and eth1 are the interfaces to the two ISPs then:<br>
 <br>
 /etc/shorewall/interfaces:<br>
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber2">
    <tbody>
      <tr>
        <td><u><b>ZONE</b></u></td>
        <td><u><b>INTERFACE</b></u></td>
        <td><u><b>BROADCAST</b></u></td>
        <td><u><b>OPTIONS</b></u></td>
      </tr>
      <tr>
        <td>net<br>
        </td>
        <td>eth0</td>
        <td>detect<br>
        </td>
        <td>...<br>
        </td>
      </tr>
      <tr>
        <td style="vertical-align: top;">net<br>
        </td>
        <td style="vertical-align: top;">eth1<br>
        </td>
        <td style="vertical-align: top;">detect<br>
        </td>
        <td style="vertical-align: top;">...<br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 /etc/shorewall/policy:<br>
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
    <tbody>
      <tr>
        <td><u><b>SOURCE </b></u></td>
        <td><u><b>DESTINATION</b></u></td>
        <td><u><b>POLICY</b></u></td>
        <td><u><b>LIMIT:BURST</b></u></td>
      </tr>
      <tr>
        <td>net<br>
        </td>
        <td>net<br>
        </td>
        <td>DROP<br>
        </td>
        <td> <br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <hr style="width: 100%; height: 2px;">The following information
 regarding setting up routing for this
 configuration is reproduced from the <a href="http://www.lartc.org">LARTC
 HOWTO</a> and has not been verified by the author. If you have
 questions or problems with the instructions given below, please post to
 the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.<br>
 <hr style="width: 100%; height: 2px;">A common configuration is the
 following, in which there are two providers
 that connect a local network (or even a single machine) to the big
 Internet.
 <pre class="SCREEN">                                                                 ________<br>                                          +------------+        /<br>                                          |            |       |<br>                            +-------------+ Provider 1 +-------<br>        __                  |             |            |     /<br>    ___/  \_         +------+-------+     +------------+    |<br>  _/        \__      |     if1      |                      /<br> /             \     |              |                      |<br>| Local network -----+ Linux router |                      |     Internet<br> \_           __/    |              |                      |<br>   \__     __/       |     if2      |                      \<br>      \___/          +------+-------+     +------------+    |<br>                            |             |            |     \<br>                            +-------------+ Provider 2 +-------<br>                                          |            |       |<br>                                          +------------+        \________</pre>
 <p>There are usually two questions given this setup.</p>
 <div class="SECT2">
 <h2 class="SECT2">Split access</h2>
 <p> The first is how to route answers to packets coming in over a
 particular provider, say Provider 1, back out again over that same
 provider. </p>
 <p> Let us first set some symbolical names. Let <b class="COMMAND">$IF1</b>
 be the name of the first interface (if1 in the picture above) and <b
 class="COMMAND">$IF2</b> the name of the second interface. Then let <b
 class="COMMAND">$IP1</b> be the IP address associated with <b
 class="COMMAND">$IF1</b> and <b class="COMMAND">$IP2</b> the IP
 address associated with <b class="COMMAND">$IF2</b>. Next, let <b
 class="COMMAND">$P1</b> be the IP address of the gateway at Provider
 1, and <b class="COMMAND">$P2</b> the IP address of the gateway at
 provider 2. Finally, let <b class="COMMAND">$P1_NET</b> be the IP
 network <b class="COMMAND">$P1</b> is in, and <b class="COMMAND">$P2_NET</b>
 the IP network <b class="COMMAND">$P2</b> is in. </p>
 <p> One creates two additional routing tables, say <b class="COMMAND">T1</b>
 and <b class="COMMAND">T2</b>. These are added in
 /etc/iproute2/rt_tables. Then you set up routing in these tables as
 follows: </p>
 <p> </p>
 <pre class="SCREEN">	  ip route add $P1_NET dev $IF1 src $IP1 table T1<br>	  ip route add default via $P1 table T1<br>	  ip route add $P2_NET dev $IF2 src $IP2 table T2<br>	  ip route add default via $P2 table T2<br>	</pre>
 Nothing spectacular, just build a route to the gateway and build a
 default route via that gateway, as you would do in the case of a single
 upstream provider, but put the routes in a separate table per provider.
 Note that the network route suffices, as it tells you how to find any
 host in that network, which includes the gateway, as specified above.
 <p> Next you set up the main routing table. It is a good idea to route
 things to the direct neighbour through the interface connected to that
 neighbour. Note the `src' arguments, they make sure the right outgoing
 IP address is chosen. </p>
 <pre class="SCREEN">	    ip route add $P1_NET dev $IF1 src $IP1<br>	    ip route add $P2_NET dev $IF2 src $IP2<br>	  </pre>
 Then, your preference for default route:
 <pre class="SCREEN">	    ip route add default via $P1<br>	  </pre>
 Next, you set up the routing rules. These actually choose what routing
 table to route with. You want to make sure that you route out a given
 interface if you already have the corresponding source address:
 <pre class="SCREEN">	    ip rule add from $IP1 table T1<br>	    ip rule add from $IP2 table T2<br>	  </pre>
 This set of commands makes sure all answers to traffic coming in on a
 particular interface get answered from that interface.
 <p> </p>
 <div class="WARNING">
 <table class="WARNING" width="100%" border="0">
  <tbody>
    <tr>
      <td width="25" align="center" valign="top"><img
 src="images/BD21298_.gif" hspace="5" alt="Warning" title=""
 style="width: 13px; height: 13px;"></td>
      <td align="left" valign="top">
      <p>Reader Rod Roark notes: 'If $P0_NET is the local network and
 $IF0 is its interface,
 the following additional entries are desirable: </p>
      <pre class="SCREEN">ip route add $P0_NET     dev $IF0 table T1<br>ip route add $P2_NET     dev $IF2 table T1<br>ip route add 127.0.0.0/8 dev lo   table T1<br>ip route add $P0_NET     dev $IF0 table T2<br>ip route add $P1_NET     dev $IF1 table T2<br>ip route add 127.0.0.0/8 dev lo   table T2                                      </pre>
 '</td>
    </tr>
  </tbody>
 </table>
 </div>
 <p> Now, this is just the very basic setup. It will work for all
 processes running on the router itself, and for the local network, if
 it is masqueraded. If it is not, then you either have IP space from
 both providers or you are going to want to masquerade to one of the two
 providers. In both cases you will want to add rules selecting which
 provider to route out from based on the IP address of the machine in
 the local network. </p>
 </div>
 <div class="SECT2">
 <h2 class="SECT2">Load balancing</h2>
 <p> The second question is how to balance traffic going out over the
 two providers. This is actually not hard if you already have set up
 split access as above. </p>
 <p> Instead of choosing one of the two providers as your default route,
 you now set up the default route to be a multipath route. In the
 default kernel this will balance routes over the two providers. It is
 done as follows (once more building on the example in the section on
 split-access): </p>
 <pre class="SCREEN">	    ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \<br>	    nexthop via $P2 dev $IF2 weight 1<br>	  </pre>
 This will balance the routes over both providers. The <b
 class="COMMAND">weight</b> parameters can be tweaked to favor one
 provider over the other.
 <p> Note that balancing will not be perfect, as it is route based, and
 routes are cached. This means that routes to often-used sites will
 always be over the same provider. </p>
 <p> Furthermore, if you really want to do this, you probably also want
 to look at Julian Anastasov's patches at <a
 href="http://www.ssi.bg/%7Eja/#routes" target="_top">http://www.ssi.bg/~ja/#routes
 </a>, Julian's route patch page. They will make things nicer to work
 with. </p>
 </div>
 <hr style="width: 100%; height: 2px;">End of information reproduced
 from the LARTC HOWTO. If you have
 questions or problems with the instructions given above, please post to
 the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.
 <hr style="width: 100%; height: 2px;"><font size="2">Last updated
 11/20/2003 - <a href="support.htm">Tom
 Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/FTP.html
+++ b/Shorewall-docs/FTP.html
@ -8,19 +8,37 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h2></h2>
 <blockquote> </blockquote>
 <h1 style="text-align: center;">Shorewall and FTP<br>
 </h1>
 <hr style="width: 100%; height: 2px;">
 <p><span style="font-weight: bold;">NOTICE: </span>If you are running
 Mandrake 9.1 or 9.2 and are having problems with FTP, you have three
 choices:</p>
 <ol>
  <li>Edit /usr/share/shorewall/firewall and replace this line:<br>
    <br>
 &nbsp;&nbsp; <tt>for suffix in o gz ko ; do<br>
    </tt><br>
 with<br>
    <br>
 &nbsp;&nbsp; <tt>for suffix in o gz ko <span
 style="font-weight: bold;">o.gz </span>; do<br>
    <br>
    </tt>and at a root shell prompt:<br>
    <br>
    <tt>&nbsp;<span style="font-weight: bold; color: rgb(0, 153, 0);">shorewall
 restart</span><br style="font-weight: bold; color: rgb(0, 153, 0);">
    <br>
    </tt></li>
  <li>Install the Mandrake "cooker" version of Shorewall.<br>
    <br>
  </li>
  <li>Upgrade to Shorewall 1.4.7 or later.<br>
  </li>
 </ol>
 <hr style="width: 100%; height: 2px;">
 <p>FTP transfers involve two TCP connections. The first <u>control</u>
 connection goes from the FTP client to port 21 on the FTP server. This
 connection is used for logon and to send commands and responses between
@ -30,7 +48,8 @@ connection is dependent on the <u>mode</u>
 that the client is operating in:<br>
 </p>
 <ul>
-  <li>Passive Mode (default for web browsers) -- The client issues a
+  <li>Passive Mode (often the default for web browsers) -- The client
 issues a
 PASV command. Upon receipt of this command, the server listens on a
 dynamically-allocated port then sends a PASV reply to the client. The
 PASV reply gives the IP address
@ -91,13 +110,17 @@ that the
 modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
 Shorewall automatically
 loads these "helper" modules from /lib/modules/&lt;<i>kernel-version&gt;</i>/kernel/net/ipv4/netfilter/
-and you can determine if they are loaded using the 'lsmod' command:<br>
+and you can determine if they are loaded using the 'lsmod' command. The
 &lt;<span style="font-style: italic;">kernel-version</span>&gt; may be
 obtained by typing<br>
 </p>
 <pre>	<span style="color: rgb(0, 153, 0);"><span
 style="font-weight: bold;">uname -r</span></span>
 Example:<br></pre>
 <blockquote>
  <p>Example:<br>
  </p>
  <blockquote>
-    <pre>[root@lists etc]# lsmod<br>Module                  Size  Used by    Not tainted<br>autofs                 12148   0  (autoclean) (unused)<br>ipt_TOS                 1560  12  (autoclean)<br>ipt_LOG                 4120   5  (autoclean)<br>ipt_REDIRECT            1304   1  (autoclean)<br>ipt_REJECT              3736   4  (autoclean)<br>ipt_state               1048  13  (autoclean)<br>ip_nat_irc              3152   0  (unused)<br><b>ip_nat_ftp              3888   0  (unused)</b><br>ip_conntrack_irc        3984   1<br><b>ip_conntrack_ftp        5008   1</b><br>ipt_multiport           1144   2  (autoclean)<br>ipt_conntrack           1592   0  (autoclean)<br>iptable_filter          2316   1  (autoclean)<br>iptable_mangle          2680   1  (autoclean)<br>iptable_nat            20568   3  (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack           26088   5  (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables              14488  12  [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip                  42464   0  (unused)<br>e100                   50596   1<br>keybdev                 2752   0  (unused)<br>mousedev                5236   0  (unused)<br>hid                    20868   0  (unused)<br>input                   5632   0  [keybdev mousedev hid]<br>usb-uhci               24684   0  (unused)<br>usbcore                73280   1  [hid usb-uhci]<br>ext3                   64704   2<br>jbd                    47860   2  [ext3]<br>[root@lists etc]#<br></pre>
+    <pre>[root@lists etc]# lsmod<br>Module                  Size  Used by    Not tainted<br>autofs                 12148   0  (autoclean) (unused)<br>ipt_TOS                 1560  12  (autoclean)<br>ipt_LOG                 4120   5  (autoclean)<br>ipt_REDIRECT            1304   1  (autoclean)<br>ipt_REJECT              3736   4  (autoclean)<br>ipt_state               1048  13  (autoclean)<br>ip_nat_irc              3152   0  (unused)<br><b>ip_nat_ftp              3888   0  (unused)</b><br>ip_conntrack_irc        3984   1<br><b>ip_conntrack_ftp        5008   1</b><br>ipt_multiport           1144   2  (autoclean)<br>ipt_conntrack           1592   0  (autoclean)<br>iptable_filter          2316   1  (autoclean)<br>iptable_mangle          2680   1  (autoclean)<br>iptable_nat            20568   3  (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack           26088   5  (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc<br>					      ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp<br>                                              ipt_conntrack iptable_nat]<br>ip_tables              14488  12  [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state<br>                                  ipt_multiport ipt_conntrack iptable_filter<br>                                  iptable_mangle iptable_nat]<br>tulip                  42464   0  (unused)<br>e100                   50596   1<br>keybdev                 2752   0  (unused)<br>mousedev                5236   0  (unused)<br>hid                    20868   0  (unused)<br>input                   5632   0  [keybdev mousedev hid]<br>usb-uhci               24684   0  (unused)<br>usbcore                73280   1  [hid usb-uhci]<br>ext3                   64704   2<br>jbd                    47860   2  [ext3]<br>[root@lists etc]#<br></pre>
  </blockquote>
 </blockquote>
 <blockquote> </blockquote>
@ -105,6 +128,12 @@ and you can determine if they are loaded using the 'lsmod' command:<br>
 directory, you need to set the MODULESDIR variable in
 /etc/shorewall/shorewall.conf to point to that directory.<br>
 </p>
 <p>If your FTP helper modules are compressed and have the names <span
 style="font-style: italic;">ip_nat_ftp.o.gz </span>and <span
 style="font-style: italic;">ip_conntrack_ftp.o.gz</span> then you will
 need Shorewall 1.4.7 or later if you want Shorewall to load them for
 you.<br>
 </p>
 <p>Server configuration is covered in <a href="Documentation.htm#Rules">the
 /etc/shorewall/rules documentation</a>,<br>
 </p>
@ -203,7 +232,7 @@ to the net.<br>
  <p> </p>
 </blockquote>
 <blockquote> </blockquote>
-<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 12/01/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
 <a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/GenericTunnels.html
+++ b/Shorewall-docs/GenericTunnels.html
@ -8,17 +8,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Generic Tunnels<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 Shorewall includes built-in support for a wide range of VPN solutions.
 If you have need for a tunnel type that does not have explicit support,
 you can generally describe the tunneling software using "generic
--- a/Shorewall-docs/GnuCopyright.htm
+++ b/Shorewall-docs/GnuCopyright.htm
@ -1,341 +1,420 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Copyright</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">GNU Free Documentation License<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
   <tbody>
    <tr>
     <td width="100%">     
      <h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
     </td>
   </tr>
  </tbody>
 </table>
 <p>Version 1.1, March 2000 </p>
 <pre>Copyright (C) 2000  Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA  02111-1307  USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
 <p><strong>0. PREAMBLE</strong> </p>
- 
+<p>The purpose of this License is to make a manual, textbook, or other
-<p>The purpose of this License is to make a manual, textbook, or other written 
+written document "free" in the sense of freedom: to assure everyone the
-document "free" in the sense of freedom: to assure everyone the effective 
+effective freedom to copy and redistribute it, with or without
-freedom to copy and redistribute it, with or without modifying it, either 
+modifying it, either commercially or noncommercially. Secondarily, this
-commercially or noncommercially. Secondarily, this License preserves for
+License preserves for
-the author and publisher a way to get credit for their work, while not being 
+the author and publisher a way to get credit for their work, while not
-considered responsible for modifications made by others. </p>
+being considered responsible for modifications made by others. </p>
- 
+<p>This License is a kind of "copyleft", which means that derivative
-<p>This License is a kind of "copyleft", which means that derivative works
+works
-of the document must themselves be free in the same sense. It complements
+of the document must themselves be free in the same sense. It
-the GNU General Public License, which is a copyleft license designed for
+complements
 the GNU General Public License, which is a copyleft license designed
 for
 free software. </p>
- 
+<p>We have designed this License in order to use it for manuals for
-<p>We have designed this License in order to use it for manuals for free software,
+free software,
-because free software needs free documentation: a free program should come
+because free software needs free documentation: a free program should
-with manuals providing the same freedoms that the software does. But this 
+come
-License is not limited to software manuals; it can be used for any textual
+with manuals providing the same freedoms that the software does. But
-work, regardless of subject matter or whether it is published as a printed
+this License is not limited to software manuals; it can be used for any
-book. We recommend this License principally for works whose purpose is instruction
+textual
 work, regardless of subject matter or whether it is published as a
 printed
 book. We recommend this License principally for works whose purpose is
 instruction
 or reference. </p>
 <p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
- 
+<p>This License applies to any manual or other work that contains a
-<p>This License applies to any manual or other work that contains a notice 
+notice placed by the copyright holder saying it can be distributed
-placed by the copyright holder saying it can be distributed under the terms
+under the terms
-of this License. The "Document", below, refers to any such manual or work.
+of this License. The "Document", below, refers to any such manual or
 work.
 Any member of the public is a licensee, and is addressed as "you". </p>
- 
+<p>A "Modified Version" of the Document means any work containing the
-<p>A "Modified Version" of the Document means any work containing the Document 
+Document or a portion of it, either copied verbatim, or with
-or a portion of it, either copied verbatim, or with modifications and/or translated
+modifications and/or translated
 into another language. </p>
- 
+<p>A "Secondary Section" is a named appendix or a front-matter section
-<p>A "Secondary Section" is a named appendix or a front-matter section of
+of
-the Document that deals exclusively with the relationship of the publishers
+the Document that deals exclusively with the relationship of the
-or authors of the Document to the Document's overall subject (or to related 
+publishers
-matters) and contains nothing that could fall directly within that overall 
+or authors of the Document to the Document's overall subject (or to
-subject. (For example, if the Document is in part a textbook of mathematics,
+related matters) and contains nothing that could fall directly within
-a Secondary Section may not explain any mathematics.) The relationship could
+that overall subject. (For example, if the Document is in part a
-be a matter of historical connection with the subject or with related matters,
+textbook of mathematics,
-or of legal, commercial, philosophical, ethical or political position regarding
+a Secondary Section may not explain any mathematics.) The relationship
 could
 be a matter of historical connection with the subject or with related
 matters,
 or of legal, commercial, philosophical, ethical or political position
 regarding
 them. </p>
- 
+<p>The "Invariant Sections" are certain Secondary Sections whose titles
-<p>The "Invariant Sections" are certain Secondary Sections whose titles are 
+are designated, as being those of Invariant Sections, in the notice
-designated, as being those of Invariant Sections, in the notice that says
+that says
 that the Document is released under this License. </p>
- 
+<p>The "Cover Texts" are certain short passages of text that are
-<p>The "Cover Texts" are certain short passages of text that are listed,
+listed,
-as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
+as Front-Cover Texts or Back-Cover Texts, in the notice that says that
 the
 Document is released under this License. </p>
- 
+<p>A "Transparent" copy of the Document means a machine-readable copy,
-<p>A "Transparent" copy of the Document means a machine-readable copy, represented
+represented
-in a format whose specification is available to the general public, whose
+in a format whose specification is available to the general public,
-contents can be viewed and edited directly and straightforwardly with generic
+whose
-text editors or (for images composed of pixels) generic paint programs or
+contents can be viewed and edited directly and straightforwardly with
-(for drawings) some widely available drawing editor, and that is suitable
+generic
-for input to text formatters or for automatic translation to a variety of
+text editors or (for images composed of pixels) generic paint programs
-formats suitable for input to text formatters. A copy made in an otherwise
+or
-Transparent file format whose markup has been designed to thwart or discourage
+(for drawings) some widely available drawing editor, and that is
-subsequent modification by readers is not Transparent. A copy that is not
+suitable
 for input to text formatters or for automatic translation to a variety
 of
 formats suitable for input to text formatters. A copy made in an
 otherwise
 Transparent file format whose markup has been designed to thwart or
 discourage
 subsequent modification by readers is not Transparent. A copy that is
 not
 "Transparent" is called "Opaque". </p>
- 
+<p>Examples of suitable formats for Transparent copies include plain
-<p>Examples of suitable formats for Transparent copies include plain ASCII 
+ASCII without markup, Texinfo input format, LaTeX input format, SGML or
-without markup, Texinfo input format, LaTeX input format, SGML or XML using
+XML using
-a publicly available DTD, and standard-conforming simple HTML designed for
+a publicly available DTD, and standard-conforming simple HTML designed
-human modification. Opaque formats include PostScript, PDF, proprietary formats
+for
-that can be read and edited only by proprietary word processors, SGML or
+human modification. Opaque formats include PostScript, PDF, proprietary
-XML for which the DTD and/or processing tools are not generally available,
+formats
-and the machine-generated HTML produced by some word processors for output
+that can be read and edited only by proprietary word processors, SGML
 or
 XML for which the DTD and/or processing tools are not generally
 available,
 and the machine-generated HTML produced by some word processors for
 output
 purposes only. </p>
- 
+<p>The "Title Page" means, for a printed book, the title page itself,
-<p>The "Title Page" means, for a printed book, the title page itself, plus
+plus
-such following pages as are needed to hold, legibly, the material this License 
+such following pages as are needed to hold, legibly, the material this
-requires to appear in the title page. For works in formats which do not have
+License requires to appear in the title page. For works in formats
-any title page as such, "Title Page" means the text near the most prominent 
+which do not have
-appearance of the work's title, preceding the beginning of the body of the
+any title page as such, "Title Page" means the text near the most
 prominent appearance of the work's title, preceding the beginning of
 the body of the
 text. </p>
 <p><strong>2. VERBATIM COPYING</strong> </p>
- 
+<p>You may copy and distribute the Document in any medium, either
-<p>You may copy and distribute the Document in any medium, either commercially 
+commercially or noncommercially, provided that this License, the
-or noncommercially, provided that this License, the copyright notices, and
+copyright notices, and
-the license notice saying this License applies to the Document are reproduced
+the license notice saying this License applies to the Document are
-in all copies, and that you add no other conditions whatsoever to those of
+reproduced
-this License. You may not use technical measures to obstruct or control the
+in all copies, and that you add no other conditions whatsoever to those
-reading or further copying of the copies you make or distribute. However,
+of
-you may accept compensation in exchange for copies. If you distribute a large
+this License. You may not use technical measures to obstruct or control
-enough number of copies you must also follow the conditions in section 3.
+the
 reading or further copying of the copies you make or distribute.
 However,
 you may accept compensation in exchange for copies. If you distribute a
 large
 enough number of copies you must also follow the conditions in section
 3.
 </p>
- 
+<p>You may also lend copies, under the same conditions stated above,
-<p>You may also lend copies, under the same conditions stated above, and
+and
 you may publicly display copies. </p>
 <p><strong>3. COPYING IN QUANTITY</strong> </p>
- 
+<p>If you publish printed copies of the Document numbering more than
-<p>If you publish printed copies of the Document numbering more than 100,
+100,
-and the Document's license notice requires Cover Texts, you must enclose
+and the Document's license notice requires Cover Texts, you must
-the copies in covers that carry, clearly and legibly, all these Cover Texts:
+enclose
-Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
+the copies in covers that carry, clearly and legibly, all these Cover
-Both covers must also clearly and legibly identify you as the publisher of
+Texts:
-these copies. The front cover must present the full title with all words
+Front-Cover Texts on the front cover, and Back-Cover Texts on the back
-of the title equally prominent and visible. You may add other material on
+cover.
-the covers in addition. Copying with changes limited to the covers, as long
+Both covers must also clearly and legibly identify you as the publisher
-as they preserve the title of the Document and satisfy these conditions,
+of
 these copies. The front cover must present the full title with all
 words
 of the title equally prominent and visible. You may add other material
 on
 the covers in addition. Copying with changes limited to the covers, as
 long
 as they preserve the title of the Document and satisfy these
 conditions,
 can be treated as verbatim copying in other respects. </p>
- 
+<p>If the required texts for either cover are too voluminous to fit
-<p>If the required texts for either cover are too voluminous to fit legibly,
+legibly,
-you should put the first ones listed (as many as fit reasonably) on the actual 
+you should put the first ones listed (as many as fit reasonably) on the
-cover, and continue the rest onto adjacent pages. </p>
+actual cover, and continue the rest onto adjacent pages. </p>
- 
+<p>If you publish or distribute Opaque copies of the Document numbering
-<p>If you publish or distribute Opaque copies of the Document numbering more 
+more than 100, you must either include a machine-readable Transparent
-than 100, you must either include a machine-readable Transparent copy along
+copy along
-with each Opaque copy, or state in or with each Opaque copy a publicly-accessible 
+with each Opaque copy, or state in or with each Opaque copy a
-computer-network location containing a complete Transparent copy of the Document,
+publicly-accessible computer-network location containing a complete
-free of added material, which the general network-using public has access
+Transparent copy of the Document,
-to download anonymously at no charge using public-standard network protocols.
+free of added material, which the general network-using public has
-If you use the latter option, you must take reasonably prudent steps, when
+access
-you begin distribution of Opaque copies in quantity, to ensure that this Transparent
+to download anonymously at no charge using public-standard network
-copy will remain thus accessible at the stated location until at least one
+protocols.
-year after the last time you distribute an Opaque copy (directly or through
+If you use the latter option, you must take reasonably prudent steps,
 when
 you begin distribution of Opaque copies in quantity, to ensure that
 this Transparent
 copy will remain thus accessible at the stated location until at least
 one
 year after the last time you distribute an Opaque copy (directly or
 through
 your agents or retailers) of that edition to the public. </p>
- 
+<p>It is requested, but not required, that you contact the authors of
-<p>It is requested, but not required, that you contact the authors of the 
+the Document well before redistributing any large number of copies, to
-Document well before redistributing any large number of copies, to give them
+give them
 a chance to provide you with an updated version of the Document. </p>
 <p><strong>4. MODIFICATIONS</strong> </p>
- 
+<p>You may copy and distribute a Modified Version of the Document under
-<p>You may copy and distribute a Modified Version of the Document under the 
+the conditions of sections 2 and 3 above, provided that you release the
-conditions of sections 2 and 3 above, provided that you release the Modified 
+Modified Version under precisely this License, with the Modified
-Version under precisely this License, with the Modified Version filling the
+Version filling the
-role of the Document, thus licensing distribution and modification of the
+role of the Document, thus licensing distribution and modification of
-Modified Version to whoever possesses a copy of it. In addition, you must
+the
 Modified Version to whoever possesses a copy of it. In addition, you
 must
 do these things in the Modified Version: </p>
- 
+<p>&nbsp;</p>
 <p> </p>
 <ul>
-   <li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
+  <li><strong>A.</strong> Use in the Title Page (and on the covers, if
 any)
 a title distinct from that of the Document, and from those of previous
-versions   (which should, if there were any, be listed in the History section
+versions (which should, if there were any, be listed in the History
-of the   Document). You may use the same title as a previous version if the
+section
 of the Document). You may use the same title as a previous version if
 the
 original publisher of that version gives permission. </li>
-   <li><strong>B.</strong> List on the Title Page, as authors, one or more 
+  <li><strong>B.</strong> List on the Title Page, as authors, one or
-  persons or entities responsible for authorship of the modifications in
+more persons or entities responsible for authorship of the
-the   Modified Version, together with at least five of the principal authors
+modifications in
-of the   Document (all of its principal authors, if it has less than five).
+the Modified Version, together with at least five of the principal
-  </li>
+authors
-   <li><strong>C.</strong> State on the Title page the name of the publisher
+of the Document (all of its principal authors, if it has less than
 five). </li>
  <li><strong>C.</strong> State on the Title page the name of the
 publisher
 of the Modified Version, as the publisher. </li>
-   <li><strong>D.</strong> Preserve all the copyright notices of the Document. 
+  <li><strong>D.</strong> Preserve all the copyright notices of the
-  </li>
+Document. </li>
  <li><strong>E.</strong> Add an appropriate copyright notice for your
- modifications adjacent to the other copyright notices. </li>
+modifications adjacent to the other copyright notices. </li>
-   <li><strong>F.</strong> Include, immediately after the copyright notices,
+  <li><strong>F.</strong> Include, immediately after the copyright
-a   license notice giving the public permission to use the Modified Version
+notices,
-under   the terms of this License, in the form shown in the Addendum below.
+a license notice giving the public permission to use the Modified
-  </li>
+Version
-   <li><strong>G.</strong> Preserve in that license notice the full lists
+under the terms of this License, in the form shown in the Addendum
 below. </li>
  <li><strong>G.</strong> Preserve in that license notice the full
 lists
 of Invariant Sections and required Cover Texts given in the Document's
 license notice. </li>
  <li><strong>H.</strong> Include an unaltered copy of this License. </li>
-   <li><strong>I.</strong> Preserve the section entitled "History", and its 
+  <li><strong>I.</strong> Preserve the section entitled "History", and
-  title, and add to it an item stating at least the title, year, new authors, 
+its title, and add to it an item stating at least the title, year, new
-  and publisher of the Modified Version as given on the Title Page. If there
+authors, and publisher of the Modified Version as given on the Title
-is   no section entitled "History" in the Document, create one stating the
+Page. If there
-title,   year, authors, and publisher of the Document as given on its Title
+is no section entitled "History" in the Document, create one stating
 the
 title, year, authors, and publisher of the Document as given on its
 Title
 Page, then add an item describing the Modified Version as stated in the
 previous sentence. </li>
-   <li><strong>J.</strong> Preserve the network location, if any, given in
+  <li><strong>J.</strong> Preserve the network location, if any, given
-the   Document for public access to a Transparent copy of the Document, and
+in
-likewise   the network locations given in the Document for previous versions
+the Document for public access to a Transparent copy of the Document,
 and
 likewise the network locations given in the Document for previous
 versions
 it was based on. These may be placed in the "History" section. You may
-omit a network   location for a work that was published at least four years
+omit a network location for a work that was published at least four
 years
 before the Document itself, or if the original publisher of the version
 it refers to gives permission. </li>
  <li><strong>K.</strong> In any section entitled "Acknowledgements" or
- "Dedications", preserve the section's title, and preserve in the section
+"Dedications", preserve the section's title, and preserve in the
 section
 all the substance and tone of each of the contributor acknowledgements
 and/or dedications given therein. </li>
-   <li><strong>L.</strong> Preserve all the Invariant Sections of the Document, 
+  <li><strong>L.</strong> Preserve all the Invariant Sections of the
-  unaltered in their text and in their titles. Section numbers or the equivalent 
+Document, unaltered in their text and in their titles. Section numbers
-  are not considered part of the section titles. </li>
+or the equivalent are not considered part of the section titles. </li>
-   <li><strong>M.</strong> Delete any section entitled "Endorsements". Such
+  <li><strong>M.</strong> Delete any section entitled "Endorsements".
 Such
 a section may not be included in the Modified Version. </li>
-   <li><strong>N.</strong> Do not retitle any existing section as "Endorsements" 
+  <li><strong>N.</strong> Do not retitle any existing section as
-  or to conflict in title with any Invariant Section. </li>
+"Endorsements" or to conflict in title with any Invariant Section. </li>
 </ul>
- 
+<p>If the Modified Version includes new front-matter sections or
-<p>If the Modified Version includes new front-matter sections or appendices
+appendices
-that qualify as Secondary Sections and contain no material copied from the
+that qualify as Secondary Sections and contain no material copied from
-Document, you may at your option designate some or all of these sections
+the
-as invariant. To do this, add their titles to the list of Invariant Sections
+Document, you may at your option designate some or all of these
-in the Modified Version's license notice. These titles must be distinct from
+sections
 as invariant. To do this, add their titles to the list of Invariant
 Sections
 in the Modified Version's license notice. These titles must be distinct
 from
 any other section titles. </p>
- 
+<p>You may add a section entitled "Endorsements", provided it contains
-<p>You may add a section entitled "Endorsements", provided it contains nothing 
+nothing but endorsements of your Modified Version by various
-but endorsements of your Modified Version by various parties--for example, 
+parties--for example, statements of peer review or that the text has
-statements of peer review or that the text has been approved by an organization 
+been approved by an organization as the authoritative definition of a
-as the authoritative definition of a standard. </p>
+standard. </p>
- 
+<p>You may add a passage of up to five words as a Front-Cover Text, and
-<p>You may add a passage of up to five words as a Front-Cover Text, and a 
+a passage of up to 25 words as a Back-Cover Text, to the end of the
-passage of up to 25 words as a Back-Cover Text, to the end of the list of
+list of
-Cover Texts in the Modified Version. Only one passage of Front-Cover Text
+Cover Texts in the Modified Version. Only one passage of Front-Cover
-and one of Back-Cover Text may be added by (or through arrangements made
+Text
-by) any one entity. If the Document already includes a cover text for the
+and one of Back-Cover Text may be added by (or through arrangements
-same cover, previously added by you or by arrangement made by the same entity
+made
-you are acting on behalf of, you may not add another; but you may replace
+by) any one entity. If the Document already includes a cover text for
-the old one, on explicit permission from the previous publisher that added
+the
 same cover, previously added by you or by arrangement made by the same
 entity
 you are acting on behalf of, you may not add another; but you may
 replace
 the old one, on explicit permission from the previous publisher that
 added
 the old one. </p>
- 
+<p>The author(s) and publisher(s) of the Document do not by this
-<p>The author(s) and publisher(s) of the Document do not by this License
+License
-give permission to use their names for publicity for or to assert or imply 
+give permission to use their names for publicity for or to assert or
-endorsement of any Modified Version. </p>
+imply endorsement of any Modified Version. </p>
 <p><strong>5. COMBINING DOCUMENTS</strong> </p>
- 
+<p>You may combine the Document with other documents released under
-<p>You may combine the Document with other documents released under this License,
+this License,
-under the terms defined in section 4 above for modified versions, provided
+under the terms defined in section 4 above for modified versions,
-that you include in the combination all of the Invariant Sections of all
+provided
-of the original documents, unmodified, and list them all as Invariant Sections
+that you include in the combination all of the Invariant Sections of
 all
 of the original documents, unmodified, and list them all as Invariant
 Sections
 of your combined work in its license notice. </p>
- 
+<p>The combined work need only contain one copy of this License, and
-<p>The combined work need only contain one copy of this License, and multiple 
+multiple identical Invariant Sections may be replaced with a single
-identical Invariant Sections may be replaced with a single copy. If there
+copy. If there
-are multiple Invariant Sections with the same name but different contents,
+are multiple Invariant Sections with the same name but different
-make the title of each such section unique by adding at the end of it, in
+contents,
-parentheses, the name of the original author or publisher of that section
+make the title of each such section unique by adding at the end of it,
-if known, or else a unique number. Make the same adjustment to the section
+in
-titles in the list of Invariant Sections in the license notice of the combined
+parentheses, the name of the original author or publisher of that
 section
 if known, or else a unique number. Make the same adjustment to the
 section
 titles in the list of Invariant Sections in the license notice of the
 combined
 work. </p>
- 
+<p>In the combination, you must combine any sections entitled "History"
-<p>In the combination, you must combine any sections entitled "History" in
+in
-the various original documents, forming one section entitled "History"; likewise 
+the various original documents, forming one section entitled "History";
-combine any sections entitled "Acknowledgements", and any sections entitled 
+likewise combine any sections entitled "Acknowledgements", and any
-"Dedications". You must delete all sections entitled "Endorsements." </p>
+sections entitled "Dedications". You must delete all sections entitled
- 
+"Endorsements." </p>
 <p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
- 
+<p>You may make a collection consisting of the Document and other
-<p>You may make a collection consisting of the Document and other documents 
+documents released under this License, and replace the individual
-released under this License, and replace the individual copies of this License 
+copies of this License in the various documents with a single copy that
-in the various documents with a single copy that is included in the collection, 
+is included in the collection, provided that you follow the rules of
-provided that you follow the rules of this License for verbatim copying of
+this License for verbatim copying of
 each of the documents in all other respects. </p>
- 
+<p>You may extract a single document from such a collection, and
-<p>You may extract a single document from such a collection, and distribute
+distribute
-it individually under this License, provided you insert a copy of this License
+it individually under this License, provided you insert a copy of this
-into the extracted document, and follow this License in all other respects
+License
 into the extracted document, and follow this License in all other
 respects
 regarding verbatim copying of that document. </p>
 <p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
- 
+<p>A compilation of the Document or its derivatives with other separate
-<p>A compilation of the Document or its derivatives with other separate and 
+and independent documents or works, in or on a volume of a storage or
-independent documents or works, in or on a volume of a storage or distribution 
+distribution medium, does not as a whole count as a Modified Version of
-medium, does not as a whole count as a Modified Version of the Document, provided
+the Document, provided
-no compilation copyright is claimed for the compilation. Such a compilation
+no compilation copyright is claimed for the compilation. Such a
-is called an "aggregate", and this License does not apply to the other self-contained
+compilation
-works thus compiled with the Document, on account of their being thus compiled,
+is called an "aggregate", and this License does not apply to the other
 self-contained
 works thus compiled with the Document, on account of their being thus
 compiled,
 if they are not themselves derivative works of the Document. </p>
- 
+<p>If the Cover Text requirement of section 3 is applicable to these
-<p>If the Cover Text requirement of section 3 is applicable to these copies
+copies
-of the Document, then if the Document is less than one quarter of the entire 
+of the Document, then if the Document is less than one quarter of the
-aggregate, the Document's Cover Texts may be placed on covers that surround
+entire aggregate, the Document's Cover Texts may be placed on covers
-only the Document within the aggregate. Otherwise they must appear on covers
+that surround
 only the Document within the aggregate. Otherwise they must appear on
 covers
 around the whole aggregate. </p>
 <p><strong>8. TRANSLATION</strong> </p>
- 
+<p>Translation is considered a kind of modification, so you may
-<p>Translation is considered a kind of modification, so you may distribute 
+distribute translations of the Document under the terms of section 4.
-translations of the Document under the terms of section 4. Replacing Invariant 
+Replacing Invariant Sections with translations requires special
-Sections with translations requires special permission from their copyright 
+permission from their copyright holders, but you may include
-holders, but you may include translations of some or all Invariant Sections
+translations of some or all Invariant Sections
-in addition to the original versions of these Invariant Sections. You may
+in addition to the original versions of these Invariant Sections. You
-include a translation of this License provided that you also include the
+may
-original English version of this License. In case of a disagreement between
+include a translation of this License provided that you also include
-the translation and the original English version of this License, the original
+the
 original English version of this License. In case of a disagreement
 between
 the translation and the original English version of this License, the
 original
 English version will prevail. </p>
 <p><strong>9. TERMINATION</strong> </p>
- 
+<p>You may not copy, modify, sublicense, or distribute the Document
-<p>You may not copy, modify, sublicense, or distribute the Document except
+except
-as expressly provided for under this License. Any other attempt to copy,
+as expressly provided for under this License. Any other attempt to
-modify, sublicense or distribute the Document is void, and will automatically
+copy,
-terminate your rights under this License. However, parties who have received
+modify, sublicense or distribute the Document is void, and will
-copies, or rights, from you under this License will not have their licenses
+automatically
 terminate your rights under this License. However, parties who have
 received
 copies, or rights, from you under this License will not have their
 licenses
 terminated so long as such parties remain in full compliance. </p>
 <p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
- 
+<p>The Free Software Foundation may publish new, revised versions of
-<p>The Free Software Foundation may publish new, revised versions of the
+the
-GNU Free Documentation License from time to time. Such new versions will
+GNU Free Documentation License from time to time. Such new versions
-be similar in spirit to the present version, but may differ in detail to
+will
 be similar in spirit to the present version, but may differ in detail
 to
 address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
- 
+<p>Each version of the License is given a distinguishing version
-<p>Each version of the License is given a distinguishing version number.
+number.
-If the Document specifies that a particular numbered version of this License
+If the Document specifies that a particular numbered version of this
-"or any later version" applies to it, you have the option of following the
+License
-terms and conditions either of that specified version or of any later version
+"or any later version" applies to it, you have the option of following
-that has been published (not as a draft) by the Free Software Foundation.
+the
-If the Document does not specify a version number of this License, you may
+terms and conditions either of that specified version or of any later
-choose any version ever published (not as a draft) by the Free Software Foundation.
+version
 that has been published (not as a draft) by the Free Software
 Foundation.
 If the Document does not specify a version number of this License, you
 may
 choose any version ever published (not as a draft) by the Free Software
 Foundation.
 </p>
- 
+<p align="left">&nbsp;</p>
-<p align="left"> </p>
+<br>
  <br>
 </body>
 </html>
--- a/Shorewall-docs/IPIP.htm
+++ b/Shorewall-docs/IPIP.htm
@ -1,73 +1,48 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>GRE/IPIP Tunnels</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+insecure when used over the internet; use them at your own risk</h3>
-    <tbody>
+<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
-     <tr>
+masqueraded networks.</p>
      <td width="100%">       
      <h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure 
 when used over the internet; use them at your own risk</h3>
 <p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded 
 networks.</p>
 <p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
-Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall 
+Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
-also includes a tunnel script for automating tunnel configuration. If you 
+Shorewall also includes a tunnel script for automating tunnel
-have installed the RPM, the tunnel script may be found in the Shorewall documentation 
+configuration. If you have installed the RPM, the tunnel script may be
-directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
+found in the Shorewall documentation directory (usually
-  
+/usr/share/doc/shorewall-&lt;version&gt;/).</p>
 <h2>Bridging two Masqueraded Networks</h2>
 <p>Suppose that we have the following situation:</p>
-  
+<p align="center"> <img border="0" src="images/TwoNets1.png"
-<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
+ width="745" height="427"> </p>
- height="427">
+<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
- </p>
+able to communicate with the systems in the 10.0.0.0/8 network. This is
-  
+accomplished through use of the /etc/shorewall/tunnels file, the
-<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able 
+/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
-to communicate with the systems in the 10.0.0.0/8 network. This is accomplished 
+included with Shorewall.</p>
-through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy 
+<p align="left">The 'tunnel' script is not installed in /etc/shorewall
-file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
+by default -- If you install using the tarball, the script is included
-  
+in the tarball; if you install using the RPM, the file is in your
-<p align="left">The 'tunnel' script is not installed in /etc/shorewall by 
+Shorewall documentation directory (normally
-default -- If you install using the tarball, the script is included in the 
+/usr/share/doc/shorewall-&lt;version&gt;).</p>
-tarball; if you install using the RPM, the file is in your Shorewall documentation 
+<p align="left">In the /etc/shorewall/tunnel script, set the
-directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
+'tunnel_type' parameter to the type of tunnel that you want to create.</p>
 <p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type' 
 parameter to the type of tunnel that you want to create.</p>
 <p align="left">Example:</p>
 <blockquote>
  <p align="left">tunnel_type=gre</p>
-  </blockquote>
+</blockquote>
-  
+<p align="left">On each firewall, you will need to declare a zone to
-<p align="left">On each firewall, you will need to declare a zone to represent 
+represent the remote subnet. We'll assume that this zone is called
- the remote subnet. We'll assume that this zone is called 'vpn' and declare 
+'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
 it in  /etc/shorewall/zones on both systems as follows.</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -81,14 +56,12 @@ it in  /etc/shorewall/zones on both systems as follows.</p>
        <td>VPN</td>
        <td>Remote Subnet</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
+zone.
 In /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -102,15 +75,13 @@ In /etc/shorewall/interfaces:</p>
        <td>vpn</td>
        <td>tosysb</td>
        <td>10.255.255.255</td>
-        <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-  </blockquote>
+</blockquote>
-  
+<p align="left">In /etc/shorewall/tunnels on system A, we need the
-<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
+following:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -124,30 +95,25 @@ In /etc/shorewall/interfaces:</p>
        <td>ipip</td>
        <td>net</td>
        <td>134.28.54.2</td>
-        <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-  </blockquote>
+</blockquote>
-  
+<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
-<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP 
+IP encapsulation protocol (4) will be accepted to/from the remote
- encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
+gateway.</p>
 <p>In the tunnel script on system A:</p>
 <blockquote>
  <p>tunnel=tosysb<br>
-    myrealip=206.161.148.9 (for GRE tunnel only)<br>
+myrealip=206.161.148.9 (for GRE tunnel only)<br>
-    myip=192.168.1.1<br>
+myip=192.168.1.1<br>
-    hisip=10.0.0.1<br>
+hisip=10.0.0.1<br>
-    gateway=134.28.54.2<br>
+gateway=134.28.54.2<br>
-    subnet=10.0.0.0/8</p>
+subnet=10.0.0.0/8</p>
-  </blockquote>
+</blockquote>
 <p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
 zone. In /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -161,15 +127,12 @@ zone. In /etc/shorewall/interfaces:</p>
        <td>vpn</td>
        <td>tosysa</td>
        <td>192.168.1.255</td>
-        <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-  </blockquote>
+</blockquote>
 <p>In /etc/shorewall/tunnels on system B, we have:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -183,31 +146,25 @@ zone. In /etc/shorewall/interfaces:</p>
        <td>ipip</td>
        <td>net</td>
        <td>206.191.148.9</td>
-        <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-  </blockquote>
+</blockquote>
 <p>And in the tunnel script on system B:</p>
 <blockquote>
  <p>tunnel=tosysa<br>
-    myrealip=134.28.54.2 (for GRE tunnel only)<br>
+myrealip=134.28.54.2 (for GRE tunnel only)<br>
-    myip=10.0.0.1<br>
+myip=10.0.0.1<br>
-    hisip=192.168.1.1<br>
+hisip=192.168.1.1<br>
-    gateway=206.191.148.9<br>
+gateway=206.191.148.9<br>
-    subnet=192.168.1.0/24</p>
+subnet=192.168.1.0/24</p>
-  </blockquote>
+</blockquote>
-  
+<p>You can rename the modified tunnel scripts if you like; be sure that
-<p>You can rename the modified tunnel scripts if you like; be sure that they 
+they are secured so that root can execute them. </p>
-are secured so that root can execute them.  </p>
+<p align="left"> You will need to allow traffic between the "vpn" zone
-  
+and the "loc" zone on both systems -- if you simply want to admit all
-<p align="left"> You will need to allow traffic between the "vpn" zone and 
+traffic in both directions, you can use the policy file:</p>
       the "loc" zone on both systems -- if you simply want to admit all traffic
       in both directions, you can use the policy file:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -221,29 +178,27 @@ are secured so that root can execute them.  </p>
        <td>loc</td>
        <td>vpn</td>
        <td>ACCEPT</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>vpn</td>
        <td>loc</td>
        <td>ACCEPT</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-  </blockquote>
+</blockquote>
-  
+<p>On both systems, restart Shorewall and run the modified tunnel
-<p>On both systems, restart Shorewall and run the modified tunnel script with
+script with
-the "start" argument on each system. The systems in the two masqueraded subnetworks
+the "start" argument on each system. The systems in the two masqueraded
 subnetworks
 can now talk to each other</p>
 <p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
-   <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/IPSEC.htm
+++ b/Shorewall-docs/IPSEC.htm
@ -8,17 +8,8 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">IPSEC Tunnels<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h2><font color="#660066">Configuring FreeS/Wan</font></h2>
 There is an excellent guide to configuring IPSEC tunnels at<a
 href="http://www.geocities.com/jixen66/">
@ -34,10 +25,40 @@ to debug this problem so I can't say if it is a bug in the Kernel or in
 FreeS/Wan.&nbsp;</p>
 <p>You <b>might</b> be able to work around this problem using the
 following (I haven't tried it):</p>
-<p>In /etc/shorewall/init, include:</p>
+<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
-<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
+<div style="margin-left: 40px;"></div>
-<p>In /etc/shorewall/start, include:</p>
+<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec
-<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
+stop</p>
 <div style="margin-left: 40px;"></div>
 <p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
 <div style="margin-left: 40px;"></div>
 <p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp; qt service ipsec start<br>
 </p>
 <p>Also, the documentation below assumes that you have disabled
 opportunistic encryption feature in FreeS/Wan 2.0 using the following
 additional entries in ipsec.conf:<br>
 </p>
 <p style="margin-left: 40px;"><tt>conn block<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
 <br>
 conn private<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
 <br>
 conn private-or-clear<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
 <br>
 conn clear-or-private<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
 <br>
 conn clear<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
 <br>
 conn packetdefault<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
 </tt></p>
 For further information see <a
 href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
 </tt>
 <h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
 <p>Suppose that we have the following sutuation:</p>
 <font color="#660066">
@ -631,7 +652,7 @@ issue the command":<br>
 <blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
 </blockquote>
 and the 'down' part will:<br>
-<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
+<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
  <br>
 </blockquote>
 <h3>Limitations of Dynamic Zones</h3>
@ -664,7 +685,7 @@ DESTINATION<br>
      <tr>
        <td valign="top">DNAT<br>
        </td>
-        <td valign="top">z:dyn<br>
+        <td valign="top">z!dyn<br>
        </td>
        <td valign="top">loc:192.168.1.3<br>
        </td>
@ -682,7 +703,7 @@ DESTINATION<br>
 </blockquote>
 Dynamic changes to the zone <b>dyn</b> will have no effect on the
 above rule.
-<p><font size="2">Last updated 8/12//2003 - </font><font size="2"> <a
+<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
 <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/Install.htm
+++ b/Shorewall-docs/Install.htm
@ -1,97 +1,75 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Installation</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-          
+<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
             <tbody>
              <tr>
               <td width="100%">                                   
      <h1 align="center"><font color="#ffffff">Shorewall Installation and 
    Upgrade</font></h1>
               </td>
             </tr>
  </tbody>     
 </table>
 <p align="center"><b>Before upgrading, be sure to review the <a
 href="upgrade_issues.htm">Upgrade Issues<br>
-    </a></b></p>
+</a></b></p>
-       
+<div align="left"><b>Before attempting installation, I strongly urge
-<div align="left"><b>Before attempting installation, I strongly urge you
+you
 to read and print a copy of the <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
-   for the configuration that most closely matches your own.</b><br>
+for the configuration that most closely matches your own.</b><br>
-    </div>
+</div>
 <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
-           <a href="#Install_Tarball">Install using tarball<br>
+<a href="#Install_Tarball">Install using tarball<br>
-        </a><a href="#LRP">Install the .lrp</a><br>
+</a><a href="#LRP">Install the .lrp</a><br>
-           <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
+<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
-           <a href="#Upgrade_Tarball">Upgrade using tarball<br>
+<a href="#Upgrade_Tarball">Upgrade using tarball<br>
-        </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
+</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
-           <a href="#Config_Files">Configuring Shorewall</a><br>
+<a href="#Config_Files">Configuring Shorewall</a><br>
-           <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
+<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
 <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
-          
+<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
-<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a 
+a shell prompt, type "/sbin/iptables --version"), you must upgrade to
-    shell  prompt, type "/sbin/iptables --version"), you must upgrade to version
+version 1.2.4 either from the <a
-    1.2.4  either from the <a
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update 
+update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
-     site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
+before attempting to start Shorewall.</b></p>
     attempting to start Shorewall.</b></p>
 <ul>
  <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
    <br>
-             <b>Note1: </b>Some SuSE  users have encountered a problem whereby 
+    <b>Note1: </b>Some SuSE&nbsp; users have encountered a problem
-  rpm  reports  a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel 
+whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
-  is installed.  If this    happens, simply use the --nodeps option to rpm 
+kernel is installed. If this happens, simply use the --nodeps option to
- (rpm -ivh --nodeps  &lt;shorewall    rpm&gt;.<br>
+rpm (rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
    <br>
-         <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent 
+    <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
-  on the iproute package. Unfortunately, some distributions call this package 
+dependent on the iproute package. Unfortunately, some distributions
-  iproute2 which will cause the installation of Shorewall to fail with the 
+call this package iproute2 which will cause the installation of
- diagnostic:<br>
+Shorewall to fail with the diagnostic:<br>
    <br>
-          error: failed dependencies:iproute is needed by  shorewall-1.4.x-1 
+&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
 shorewall-1.4.x-1 <br>
    <br>
-         <br>
+This may be worked around by using the --nodeps option of rpm (rpm -ivh
-     This may be worked around by using the --nodeps option of rpm (rpm -ivh
+--nodeps &lt;shorewall rpm&gt;).<br>
  --nodeps &lt;shorewall rpm&gt;).<br>
    <br>
  </li>
-             <li>Edit the <a href="#Config_Files"> configuration files</a>
+  <li>Edit the <a href="#Config_Files"> configuration files</a> to
- to  match   your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
+match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
-     <u>NOT</u>    SIMPLY INSTALL THE RPM  AND ISSUE A "shorewall start"
+SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
 COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
 IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
-SYSTEM WILL NO LONGER ACCEPT ANY  NETWORK  TRAFFIC. IF THIS HAPPENS,  ISSUE
+SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
 ISSUE
 A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
  <li>Start the firewall by typing "shorewall start"</li>
 </ul>
 <p><a name="Install_Tarball"></a>To install Shorewall using the tarball
-    and install     script: </p>
+and install script: </p>
 <ul>
  <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
-             <li>cd to the shorewall directory (the version is encoded in 
+  <li>cd to the shorewall directory (the version is encoded in the
-the               directory name as in "shorewall-1.1.10").</li>
+directory name as in "shorewall-1.1.10").</li>
  <li>If you are using <a
 href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
 href="http://www.redhat.com">RedHat</a>, <a
@ -101,79 +79,75 @@ the               directory name as in "shorewall-1.1.10").</li>
 href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
  <li>If you are using <a href="http://www.suse.com">SuSe</a>
 then type "./install.sh /etc/init.d"</li>
-             <li>If your distribution has directory             /etc/rc.d/init.d 
+  <li>If your distribution has directory /etc/rc.d/init.d or
-   or  /etc/init.d then type             "./install.sh"</li>
+/etc/init.d then type "./install.sh"</li>
-             <li>For other distributions, determine where your          
+  <li>For other distributions, determine where your distribution
-  distribution    installs init scripts and type             "./install.sh
+installs init scripts and type "./install.sh &lt;init script
- &lt;init script   directory&gt;</li>
+directory&gt;</li>
-             <li>Edit the <a href="#Config_Files"> configuration files</a>
+  <li>Edit the <a href="#Config_Files"> configuration files</a> to
- to  match   your configuration.</li>
+match your configuration.</li>
  <li>Start the firewall by typing "shorewall start"</li>
  <li>If the install script was unable to configure Shorewall
 to be started automatically at boot, see <a
 href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
 </ul>
-          
+<p><a name="LRP"></a>To install my version of Shorewall on a fresh
-<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering 
+Bering disk, simply replace the "shorwall.lrp" file on the image with
-   disk, simply replace the "shorwall.lrp" file on the image with the file
+the file that you downloaded. See the <a href="two-interface.htm">two-interface
  that  you downloaded. See the <a href="two-interface.htm">two-interface
 QuickStart Guide</a> for information about further steps required.</p>
-          
+<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
-<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed 
+installed and are upgrading to a new version:</p>
-    and are upgrading to a new version:</p>
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
-          
+version or
 <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
 and you have entries in the /etc/shorewall/hosts file then please check
-your  /etc/shorewall/interfaces file to be sure that it contains an entry 
+your /etc/shorewall/interfaces file to be sure that it contains an
-   for each  interface mentioned in the hosts file. Also, there are certain 
+entry for each interface mentioned in the hosts file. Also, there are
-  1.2 rule forms  that are no longer supported under 1.4 (you must use the
+certain 1.2 rule forms that are no longer supported under 1.4 (you must
-  new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
+use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
-  details.</p>
+issues </a>for details.</p>
 <ul>
-             <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: 
+  <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
-       </b>If  you     are installing version 1.2.0 and have one of the 1.2.0 
+you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
-   Beta RPMs installed,     you must use the "--oldpackage" option to rpm 
+installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
-(e.g.,   "rpm     -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").        
+-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
-                 
+    <p> <b>Note1: </b>Some SuSE users have encountered a problem
-    <p>   <b>Note1: </b>Some SuSE users have encountered a problem whereby 
+whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
-    rpm reports a    conflict with kernel &lt;= 2.2 even though a 2.4 kernel 
+kernel is installed. If this happens, simply use the --nodeps option to
-   is installed. If this    happens, simply use the --nodeps option to rpm
+rpm (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  (rpm   -Uvh --nodeps &lt;shorewall    rpm&gt;).<br>
    <br>
-         <b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
+    <b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
-  on the iproute package. Unfortunately, some distributions call this package
+dependent on the iproute package. Unfortunately, some distributions
-  iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
+call this package iproute2 which will cause the upgrade of Shorewall to
 fail with the diagnostic:<br>
    <br>
-           error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
+&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
 shorewall-1.4.0-1 <br>
    <br>
-        <br>
+This may be worked around by using the --nodeps option of rpm (rpm
-      This may be worked around by using the --nodeps option of rpm (rpm
+-Uvh --nodeps &lt;shorewall rpm&gt;).&nbsp;</p>
 -Uvh   --nodeps &lt;shorewall rpm&gt;). </p>
  </li>
  <li>See if there are any incompatibilities between your configuration
-   and the    new Shorewall version (type "shorewall check") and correct as
+and the new Shorewall version (type "shorewall check") and correct as
-  necessary.</li>
+necessary.</li>
  <li>Restart the firewall (shorewall restart).</li>
 </ul>
-          
+<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
-<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
+installed
 and are upgrading to a new version using the tarball:</p>
-          
+<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
-<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
+version
 and you have entries in the /etc/shorewall/hosts file then please check
-your  /etc/shorewall/interfaces file to be sure that it contains an entry
+your /etc/shorewall/interfaces file to be sure that it contains an
-for each  interface mentioned in the hosts file.  Also, there are certain
+entry
 for each interface mentioned in the hosts file.&nbsp; Also, there are
 certain
 1.2 rule forms that are no longer supported under 1.4 (you must use the
 new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
 for details. </p>
 <ul>
  <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
-             <li>cd to the shorewall directory (the version is encoded in 
+  <li>cd to the shorewall directory (the version is encoded in the
-the               directory name as in "shorewall-3.0.1").</li>
+directory name as in "shorewall-3.0.1").</li>
  <li>If you are using <a
 href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
 href="http://www.redhat.com">RedHat</a>, <a
@ -183,39 +157,33 @@ the               directory name as in "shorewall-3.0.1").</li>
 href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
  <li>If you are using<a href="http://www.suse.com"> SuSe</a>
 then type "./install.sh /etc/init.d"</li>
-             <li>If your distribution has directory             /etc/rc.d/init.d 
+  <li>If your distribution has directory /etc/rc.d/init.d or
-   or  /etc/init.d then type             "./install.sh"</li>
+/etc/init.d then type "./install.sh"</li>
-             <li>For other distributions, determine where your          
+  <li>For other distributions, determine where your distribution
-  distribution    installs init scripts and type             "./install.sh
+installs init scripts and type "./install.sh &lt;init script
- &lt;init script   directory&gt;</li>
+directory&gt;</li>
  <li>See if there are any incompatibilities between your configuration
-   and the    new Shorewall version (type "shorewall check") and correct as
+and the new Shorewall version (type "shorewall check") and correct as
-  necessary.</li>
+necessary.</li>
  <li>Restart the firewall by typing "shorewall restart"</li>
 </ul>
-                 <a name="LRP_Upgrade"></a>If you already have a running
+<a name="LRP_Upgrade"></a>If you already have a running
 Bering installation and wish to upgrade to a later version of Shorewall:<br>
-        <br>
+<br>
-            <b>UNDER CONSTRUCTION...</b><br>
+&nbsp;&nbsp;&nbsp; <b>UNDER CONSTRUCTION...</b><br>
 <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
-          
+<p>You will need to edit some or all of the configuration files to
-<p>You will need to edit some or all of the configuration files to match your
+match your setup. In most cases, the <a
- setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall 
+ href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
-    QuickStart Guides</a> contain all of the information you need.</p>
+contain all of the information you need.</p>
 <ul>
 </ul>
 <p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
-    </font></p>
+</font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  </p>
+</p>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/MAC_Validation.html
+++ b/Shorewall-docs/MAC_Validation.html
@ -2,123 +2,103 @@
 <html>
 <head>
  <title>MAC Verification</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-  <body>
+<body>
-        
+<br>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">MAC Verification<br>
- style="border-collapse: collapse;" width="100%" id="AutoNumber4"
+</h1>
- bgcolor="#3366ff" height="90">
+All traffic from an interface or from a subnet on an interface can be
-                     <tbody>
+verified to originate from a defined set of MAC addresses. Furthermore,
-                    <tr>
+each MAC address may be optionally associated with one or more IP
-                      <td width="100%">                             
+addresses. <br>
-      <h1 align="center"><font color="#ffffff">MAC Verification</font><br>
+<br>
-             </h1>
+<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
-                      <br>
+module name ipt_mac.o).</b><br>
-             </td>
+<br>
-                    </tr>
+There are four components to this facility.<br>
  </tbody>    
 </table>
            <br>
            All traffic from an interface    or  from a subnet on an interface
  can be verified to originate from a defined     set of MAC addresses. Furthermore,
  each MAC address may be optionally associated    with one or more IP addresses.
  <br>
        <br>
        <b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
   - module name ipt_mac.o).</b><br>
        <br>
        There are four components to this facility.<br>
 <ol>
  <li>The <b>maclist</b> interface option in <a
- href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
+ href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
-this option is specified, all traffic arriving on the interface is subjet
+When
 this option is specified, all traffic arriving on the interface is
 subjet
 to MAC verification.</li>
-              <li>The <b>maclist </b>option in <a
+  <li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
- href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.   When this option
+When this option is specified for a subnet, all traffic from that
-   is specified for a subnet, all traffic from that subnet  is subject to
+subnet is subject to
 MAC verification.</li>
  <li>The /etc/shorewall/maclist file. This file is used to associate
-    MAC  addresses with interfaces and to optionally associate IP addresses
+MAC addresses with interfaces and to optionally associate IP addresses
-  with  MAC  addresses.</li>
+with MAC addresses.</li>
-              <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL 
+  <li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
-    </b>variables      in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
+in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
-   The   MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
+The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
- and  determines   the disposition of connection requests that fail MAC verification.
+and determines the disposition of connection requests that fail MAC
-   The MACLIST_LOG_LEVEL   variable gives the syslogd level at which connection
+verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
-   requests that fail verification  are to be logged. If set the the empty
+which connection requests that fail verification are to be logged. If
- value  (e.g., MACLIST_LOG_LEVEL="")   then failing connection requests are
+set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
- not logged.<br>
+connection requests are not logged.<br>
  </li>
 </ol>
-            The columns in /etc/shorewall/maclist are:<br>
+The columns in /etc/shorewall/maclist are:<br>
 <ul>
  <li>INTERFACE - The name of an ethernet interface on the Shorewall
-    system.</li>
+system.</li>
  <li>MAC - The MAC address of a device on the ethernet segment
- connected     by INTERFACE. It is not necessary to use the Shorewall MAC 
+connected by INTERFACE. It is not necessary to use the Shorewall MAC
 format in this column although you may use that format if you so choose.</li>
-              <li>IP Address - An optional comma-separated list of IP addresses
+  <li>IP Address - An optional comma-separated list of IP addresses for
-   for   the device whose MAC is listed in the MAC column.</li>
+the device whose MAC is listed in the MAC column.</li>
 </ul>
-        
+<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
-<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for 
+for details about my setup):</h3>
-details about my setup):</h3>
+<b>/etc/shorewall/shorewall.conf:<br>
-            <b>/etc/shorewall/shorewall.conf:<br>
+</b>
            </b>    
 <pre>     MACLIST_DISPOSITION=REJECT<br>     MACLIST_LOG_LEVEL=info<br></pre>
-            <b>/etc/shorewall/interfaces:</b><br>
+<b>/etc/shorewall/interfaces:</b><br>
 <blockquote>
  <pre>#ZONE   INTERFACE        BROADCAST       OPTIONS<br>net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc     eth2            192.168.1.255   dhcp<br>dmz     eth1            192.168.2.255<br>WiFi    eth3            192.168.3.255   dhcp,maclist<br>-       texas           192.168.9.255</pre>
-   </blockquote>
+</blockquote>
-            <b>/etc/shorewall/maclist:</b><br>
+<b>/etc/shorewall/maclist:</b><br>
 <blockquote>
  <pre>#INTERFACE              MAC                     IP ADDRESSES (Optional)<br>eth3                    00:A0:CC:A2:0C:A0       192.168.3.7                 #Work Laptop<br>eth3                    00:04:5a:fe:85:b9       192.168.3.250               #WAP11<br>eth3                    00:06:25:56:33:3c       192.168.3.225,192.168.3.8   #WET11<br>eth3                    00:0b:cd:C4:cc:97       192.168.3.8                 #TIPPER</pre>
-   </blockquote>
+</blockquote>
-   As shown above, I use MAC Verification on my wireless zone.<br>
+As shown above, I use MAC Verification on my wireless zone.<br>
-  <br>
+<br>
-  <b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like 
+<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
-a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
+like a wireless router with DHCP relay. When forwarding DHCP traffic,
-MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
+it uses the
-own MAC address. Consequently, I list the IP addresses of both devices in
+MAC address of the host (TIPPER) but for other forwarded traffic it
 uses it's
 own MAC address. Consequently, I list the IP addresses of both devices
 in
 /etc/shorewall/maclist.<br>
 <h3>Example 2: Router in Wireless Zone</h3>
-            Suppose now that I add a second wireless segment to my wireless 
+Suppose now that I add a second wireless segment to my wireless zone
- zone and   gateway  that segment via a router with MAC address 00:06:43:45:C6:15
+and gateway that segment via a router with MAC address
-  and   IP address  192.168.3.253. Hosts in the second segment have IP addresses
+00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
-   in the subnet  192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
+segment have IP addresses in the subnet 192.168.4.0/24. I would add the
-      file:<br>
+following entry to my /etc/shorewall/maclist file:<br>
 <pre>     eth3                     00:06:43:45:C6:15       192.168.3.253,192.168.4.0/24<br></pre>
-            This entry accomodates traffic from the router itself (192.168.3.253)
+This entry accomodates traffic from the router itself (192.168.3.253)
-    and  from the second wireless segment (192.168.4.0/24). Remember that
+and from the second wireless segment (192.168.4.0/24). Remember that
 all traffic being sent to my firewall from the 192.168.4.0/24 segment
 will be forwarded by the router so that traffic's MAC address will be
 that of the router (00:06:43:45:C6:15) and not that of the host sending
 the traffic.
 <p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
-         </font></p>
+</font></p>
-          
+<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
-<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-   <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+</p>
-      </p>
+<br>
-      <br>
+<br>
-     <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Multiple_Zones.html
+++ b/Shorewall-docs/Multiple_Zones.html
@ -0,0 +1,551 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Multiple Zones per Interface</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <h2></h2>
 <blockquote> </blockquote>
 <h1 style="text-align: center;">Multiple Zones per Interface<br>
 </h1>
 While most configurations can be handled with each of the firewall's
 network interfaces assigned to a single zone, there are cases where you
 will want to divide the hosts accessed through an interface between two
 or more zones.<br>
 <ol>
  <li>The interface has multiple addresses on multiple subnetworks.
 This case is covered in the <a
 href="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
 documentation</a>.</li>
  <li>You are using some form of NAT and want to access a server by its
 external IP address from the same LAN segment. This is covered in <a
 href="FAQ.htm#faq2">FAQs 2 and 2a</a>.<br>
  </li>
  <li>There are routers accessible through the interface and you want
 to treat the networks accessed through that router as a separate zone.</li>
  <li>Some of the hosts accessed through an interface have
 significantly different firewalling requirements from the others so you
 want to assign them to a different zone.</li>
 </ol>
 The key points to keep in mind when setting up multiple zones per
 interface are:<br>
 <ul>
  <li>Shorewall generates rules for zones in the order that the zone
 declarations appear in /etc/shorewall/zones.</li>
  <li>The order of entries in /etc/shorewall/hosts is immaterial as far
 as the generated ruleset is concerned.</li>
 </ul>
 <span style="font-weight: bold;">These examples use the local zone but
 the same technique works for any zone. </span>Remember that Shorewall
 doesn't have any conceptual knowledge of "Internet", "Local", or "DMZ"
 so all zones except the firewall itself ($FW) are the same as far as
 Shorewall is concerned.&nbsp; Also, the examples use private (RFC 1918)
 addresses but public IP addresses can be used in exactly the same way.<br>
 <h2>Router in the Local Zone<br>
 </h2>
 Here is an example of a router in the local zone.&nbsp; Note that <span
 style="font-weight: bold;">the box called "Router" could be a VPN
 server</span> or other such device; from the point of view of this
 discussion, it makes no difference.<br>
 <br>
 <div style="text-align: center;"><img src="images/MultiZone1.png"
 title="" alt="(Firewall connected to Internal Router)"
 style="width: 556px; height: 335px;"><br>
 </div>
 <blockquote>
  <p> </p>
 </blockquote>
 <blockquote> </blockquote>
 <h3>Can You Use the Standard Configuration?<br>
 </h3>
 In many cases, the <a href="two-interface.htm">standard two-interface
 Shorewall setup</a> will work fine in this configuration.&nbsp; It will
 work if:<br>
 <ul>
  <li>The firewall requirements to/from the internet are the same for
 192.168.1.0/24 and 192.168.2.0/24.</li>
  <li>The hosts in 192.168.1.0/24 know that the route to 192.168.2.0/24
 is through the <span style="font-weight: bold;">router.</span></li>
 </ul>
 All you have to do on the firewall is add a route to 192.168.2.0/24
 through the <span style="font-weight: bold;">router</span> and restart
 Shorewall.<br>
 <h3>Will One Zone be Enough?</h3>
 If the firewalling requirements for the two local networks is the same
 but the hosts in 192.168.1.0/24 don't know how to route to
 192.168.2.0/24 then you need to configure the firewall slightly
 differently. This type of configuration is rather stupid from an IP
 networking point of view but it is sometimes necessary because you
 simply don't want to have to reconfigure all of the hosts in
 192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
 firewall:<br>
 <ul>
  <li>Add a route to 192.168.2.0/24 through the <span
 style="font-weight: bold;">Router.</span></li>
  <li>Set the 'routeback' and 'newnotsyn' options for eth1 (the local
 firewall interface) in /etc/shorewall/interfaces.</li>
  <li>Restart Shorewall.<br>
  </li>
 </ul>
 <h3>I Need Separate Zones</h3>
 If you need to make 192.168.2.0/24 into it's own zone, you can do it
 one of two ways; Nested Zones or Parallel Zones.<br>
 <h4>Nested Zones:</h4>
 You can define one zone (called it 'loc') as being all hosts connectied
 to eth1 and a second zone 'loc1' (192.168.2.0/24) as a sub-zone.<br>
 <br>
 <div style="text-align: center;"><img src="images/MultiZone1A.png"
 title="" alt="" style="width: 607px; height: 415px;"><br>
 </div>
 <br>
 The advantage of this approach is that the zone 'loc1' can use CONTINUE
 policies such that if a connection request doesn't match a 'loc1' rule,
 it will be matched against the 'loc' rules. For example, if your
 loc1-&gt;net policy is CONTINUE then if a connection request from loc1
 to the internet doesn't match any rules for loc1-&gt;net then it will
 be checked against the loc-&gt;net rules.<br>
 <br>
 /etc/shorewall/zones:<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">Local2<br>
      </td>
      <td style="vertical-align: top;">Hosts access through internal
 router<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">Local<br>
      </td>
      <td style="vertical-align: top;">All hosts accessed via eth1<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 Note that the sub-zone (loc1) is defined first!<br>
 <br>
 </div>
 /etc/shorewall/interfaces<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellspacing="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">eth1<br>
      </td>
      <td style="vertical-align: top;">192.168.1.255<br>
      </td>
      <td style="vertical-align: top;">...<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 </div>
 /etc/shorewall/hosts<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">HOSTS<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">eth1:192.168.2.0/24<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
  </tbody>
 </table>
 </div>
 <br>
 If you don't need Shorewall to set up infrastructure to route traffic
 between 'loc' and 'loc1', add these two policies:<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">SOURCE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">DEST<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">POLICY<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">LOG<br>
 LEVEL<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">loc1</td>
      <td style="vertical-align: top;">NONE<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">NONE<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
      <td style="vertical-align: top;"> <br>
      </td>
    </tr>
  </tbody>
 </table>
 </div>
 <h4>Parallel Zones:</h4>
 You define both zones in the /etc/shorewall/hosts file to create two
 disjoint zones.<br>
 <br>
 <div style="text-align: center;"><img src="images/MultiZone1B.png"
 title="" alt="" style="width: 588px; height: 415px;"><br>
 </div>
 <br>
 /etc/shorewall/zones:<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">Local1<br>
      </td>
      <td style="vertical-align: top;">Hosts accessed Directly from
 Firewall<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc2<br>
      </td>
      <td style="vertical-align: top;">Local2<br>
      </td>
      <td style="vertical-align: top;">Hosts accessed via internal
 Router<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 Here it doesn't matter which zone is defined first.<br>
 <br>
 </div>
 /etc/shorewall/interfaces<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellspacing="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">-<br>
      </td>
      <td style="vertical-align: top;">eth1<br>
      </td>
      <td style="vertical-align: top;">192.168.1.255<br>
      </td>
      <td style="vertical-align: top;">...<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 </div>
 /etc/shorewall/hosts<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">HOSTS<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">eth1:192.168.1.0/24<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc2<br>
      </td>
      <td style="vertical-align: top;">eth1:192.168.2.0/24<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
  </tbody>
 </table>
 </div>
 <br>
 If you don't need Shorewall to set up infrastructure to route traffic
 between 'loc' and 'loc1', add these two policies:<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">SOURCE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">DEST<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">POLICY<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">LOG<br>
 LEVEL<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">loc1</td>
      <td style="vertical-align: top;">NONE<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">NONE<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
      <td style="vertical-align: top;"> <br>
      </td>
    </tr>
  </tbody>
 </table>
 </div>
 <h2>Some Hosts have Special Firewalling Requirements</h2>
 There are cases where a subset of the addresses associated with an
 interface need special handling.&nbsp; Here's an example.<br>
 <br>
 <div style="text-align: center;"><img src="images/MultiZone2.png"
 title="" alt="" style="height: 252px; width: 631px;"><br>
 </div>
 <br>
 In this example, addresses 192.168.1.8 - 192.168.1.15 (192.168.1.8/29)
 are to be treated as their own zone (loc1).<br>
 <br>
 /etc/shorewall/zones:<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">Local2<br>
      </td>
      <td style="vertical-align: top;">192.168.1.8 - 192.168.1.15<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">Local<br>
      </td>
      <td style="vertical-align: top;">All hosts accessed via eth1<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 Note that the sub-zone (loc1) is defined first!<br>
 <br>
 </div>
 /etc/shorewall/interfaces<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellspacing="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">eth1<br>
      </td>
      <td style="vertical-align: top;">192.168.1.255<br>
      </td>
      <td style="vertical-align: top;">...<br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 </div>
 /etc/shorewall/hosts<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">ZONE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">HOSTS<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">eth1:192.168.1.8/29<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
  </tbody>
 </table>
 </div>
 <br>
 You probably don't want Shorewall to set up infrastructure to route
 traffic
 between 'loc' and 'loc1' so you should add these two policies:<br>
 <div style="margin-left: 40px;"><br>
 <table cellpadding="2" border="1" style="text-align: left;">
  <tbody>
    <tr>
      <td style="vertical-align: top; font-weight: bold;">SOURCE<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">DEST<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">POLICY<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">LOG<br>
 LEVEL<br>
      </td>
      <td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">loc1</td>
      <td style="vertical-align: top;">NONE<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
    <tr>
      <td style="vertical-align: top;">loc1<br>
      </td>
      <td style="vertical-align: top;">loc<br>
      </td>
      <td style="vertical-align: top;">NONE<br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
      <td style="vertical-align: top;"><br>
      </td>
    </tr>
  </tbody>
 </table>
 &nbsp;<br>
 </div>
 <p><font size="2">Last updated 11/21/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
 <a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2003 Thomas M. Eastep.</font></a><br>
 </body>
 </html>
--- a/Shorewall-docs/NAT.htm
+++ b/Shorewall-docs/NAT.htm
@ -1,57 +1,40 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall NAT</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
       <tbody>
        <tr>
         <td width="100%">                            
      <h1 align="center"><font color="#ffffff">Static Nat</font></h1>
         </td>
       </tr>
  </tbody>    
 </table>
 <br>
-                <br>
+<h1 style="text-align: center;">One-to-one NAT<br>
-                
+</h1>
 <p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
-     ports to servers behind your firewall, you do NOT want to use static
+ports to servers behind your firewall, you do NOT want to use
-  NAT.      Port forwarding can be accomplished with simple entries in the
+one-to-one NAT. Port forwarding can be accomplished with simple entries
-    <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
+in the <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
 <blockquote> </blockquote>
-<p>Static NAT is a way to make systems behind a     firewall and configured
+<p>One-to-one NAT is a way to make systems behind a firewall and
-  with private IP addresses (those     reserved for private use in RFC1918)
+configured
-  appear to have public IP     addresses. Before you try to use this technique,
+with private IP addresses (those reserved for private use in RFC 1918)
-  I strongly recommend that you read the <a
+appear to have public IP addresses. Before you try to use this
 technique, I strongly recommend that you read the <a
 href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
 <blockquote> </blockquote>
-<p>The following figure represents a static NAT     environment.</p>
+<p>The following figure represents a one-to-one NAT environment.</p>
 <blockquote>
  <p align="center"><strong> <img src="images/staticnat.png"
- width="435" height="397">
+ style="width: 456px; height: 397px;" title="" alt=""> </strong></p>
      </strong></p>
  <blockquote> </blockquote>
-                </blockquote>
+</blockquote>
-<p align="left">Static NAT can be used to make the systems with the  10.1.1.* 
+<p align="left">One-to-one NAT can be used to make the systems with the
- addresses appear to be on the upper (130.252.100.*) subnet. If we     assume 
+10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
- that the interface to the upper subnet is eth0, then the following     /etc/shorewall/NAT 
+we assume that the interface to the upper subnet is eth0, then the
- file would make the lower left-hand system appear to have     IP address 
+following /etc/shorewall/NAT file would make the lower left-hand system
-130.252.100.18 and the right-hand one to have IP address     130.252.100.19.</p>
+appear to have IP address 130.252.100.18 and the right-hand one to have
-                
+IP address 130.252.100.19.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
  <tbody>
    <tr>
@ -75,45 +58,50 @@
      <td>yes</td>
      <td>yes</td>
    </tr>
  </tbody>
 </table>
-                
+<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
-<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
+above example) is (are) not included in any specification in
-      example) is (are) not included in any specification in /etc/shorewall/masq
+/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
-      or /etc/shorewall/proxyarp.</p>
+<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
-                
+used to specify whether access to the external IP from all firewall
-<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used 
+interfaces should undergo NAT (Yes or yes) or if only access from the
- to specify whether access to the external IP from all firewall   interfaces 
+interface in the INTERFACE column should undergo NAT. If you leave this
- should undergo NAT (Yes or yes) or if only access from the    interface in
+column empty, "Yes" is assumed.&nbsp;The ALL INTERFACES column was
- the INTERFACE column should undergo NAT. If you leave this     column empty,
+added in version 1.1.6. <span style="font-weight: bold;">Specifying
- "Yes" is assumed. The ALL INTERFACES column was     added in version 1.1.6.</p>
+"Yes" in this column will </span><span
-                
+ style="text-decoration: underline; font-weight: bold;">not</span><span
 style="font-weight: bold;"> allow systems on the lower LAN to access
 each other using their public IP addresses.</span> For example, the
 lower left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and
 expect to be connected to the lower right-hand system. <a
 href="FAQ.htm#faq2a">See FAQ 2a</a>.<br>
 </p>
 <p>Note 2: Shorewall will automatically add the external address to the
-    specified interface unless you specify <a
+specified interface unless you specify <a
 href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
-  /etc/shorewall/shorewall.conf; If you do not set     ADD_IP_ALIASES or
+/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
-if   you set it to "Yes" or "yes" then you must NOT configure your own alias(es). 
+if you set it to "Yes" or "yes" then you must NOT configure your own
-   <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
+alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
- external addresses to an interface that is configured with a single subnetwork
+can only add external addresses to an interface that is configured with
- -- if your external interface has addresses in more than one subnetwork,
+a single subnetwork -- if your external interface has addresses in more
 than one subnetwork,
 Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
-                
+<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
-<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"     column
+column determine whether packets originating on the firewall itself and
-  determine whether packets originating on the firewall itself and     destined
+destined for the EXTERNAL address are redirected to the internal
-  for the EXTERNAL address are redirected to the internal ADDRESS. If   
+ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
- this  column contains "yes" or "Yes" (and the ALL     INTERFACES COLUMN
+COLUMN
-also contains  "Yes" or "yes") then     such packets are redirected; otherwise,
+also contains "Yes" or "yes") then such packets are redirected;
 otherwise,
 such packets are not redirected. The LOCAL column was added in version
 1.1.8.</p>
 <blockquote> </blockquote>
-        
+<p><font size="2">Last updated 11/222003 - </font><font size="2"> <a
 <p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-     <a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/NetfilterOverview.html
+++ b/Shorewall-docs/NetfilterOverview.html
@ -0,0 +1,104 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Netfilter Overview</title>
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <p align="left"><font size="2"><big></big></font></p>
 <h1 style="text-align: center;">Netfilter Overview<br>
 </h1>
 Netfilter consists of three <span style="font-style: italic;">tables: </span><span
 style="font-weight: bold;">Filter, Nat </span>and <span
 style="font-weight: bold;">Mangle</span>. Each table has a number of
 build-in <span style="font-style: italic;">chains: </span><span
 style="font-weight: bold;"><span style="font-weight: bold;">PREROUTING,
 INPUT, FORWARD, OUTPUT </span></span>and <span
 style="font-weight: bold;">POSTROUTING.<br>
 <br>
 </span>Rules in the various tables are used as follows:<br>
 <ul>
  <li><span style="font-weight: bold;">Filter: </span>Packet filtering
 (rejecting, dropping or accepting packets)</li>
  <li><span style="font-weight: bold;">Nat: </span>Network Address
 Translation including DNAT, SNAT and Masquerading</li>
  <li><span style="font-weight: bold;">Mangle:</span> General packet
 header modification such as setting the TOS value or marking packets
 for policy routing and traffic shaping.<br>
  </li>
 </ul>
 The following diagram shows how packets traverse the various builtin
 chains within Netfilter. Note that not all table/chain combinations are
 used.<br>
 <br>
 <div style="text-align: center;"><img src="images/Netfilter.png"
 title="" alt="(Netfilter Flow Diagram)"
 style="width: 541px; height: 826px;"><br>
 <br>
 <div style="text-align: left;"><br>
 "Local Process" means a process running on the Shorewall system itself.<br>
 <br>
 In the above diagram are boxes similar to this:<br>
 <br>
 <img src="images/Legend.png" title="" alt="(Diagram Legend)"
 style="width: 145px; height: 97px;"><br>
 <br>
 The above box gives the name of the built-in <span
 style="font-style: italic;">chain </span>(<span
 style="font-weight: bold;">INPUT</span>) along with the names of the <span
 style="font-style: italic;">tables </span>(<span
 style="font-weight: bold;">Mangle </span>and <span
 style="font-weight: bold;">Filter</span>) that the chain exists in and
 in the order that the chains are traversed. The above sample indicates
 that packets go first through the <span style="font-weight: bold;">INPUT</span>
 chain of the <span style="font-weight: bold;">Mangle </span>table
 then
 through the <span style="font-weight: bold;">INPUT</span> chain of the
 <span style="font-weight: bold;">Filter </span>table. When a chain is
 enclosed in parentheses, Shorewall does not use the named chain (<span
 style="font-weight: bold;">INPUT)</span> in that table <span
 style="font-weight: bold;">(Mangle)</span>.<br>
 <br>
 <span style="font-weight: bold;">IMPORTANT: </span>Keep in mind that
 chains in the <span style="font-weight: bold;">Nat</span> table are <span
 style="text-decoration: underline;">only traversed for new connection
 requests</span> (including those related to existing connections) while
 the chains in the other tables are traversed on every packet.<br>
 <br>
 The above diagram should help you understand the output of "shorewall
 status".<br>
 <br>
 Here are some excerpts from "shorewall status" on a server with one
 interface (eth0):<br>
 <br>
 <pre style="margin-left: 40px;">[root@lists html]# shorewall status<br> <br>Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003<br>                                                                                                                                                                                    <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br><br></pre>
 The first table shown is the <span style="font-weight: bold;">Filter </span>table.<br>
 <pre style="margin-left: 40px;">                                                                                                                                                                                    <br>Chain INPUT (policy DROP 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> 679K  182M ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0<br> 785K   93M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID<br></pre>
 The following rule indicates that all traffic destined for the firewall
 that comes into the firewall on eth0 is passed to a chain called
 "eth0_in". That chain will be shown further down.<br>
 <pre style="margin-left: 40px;"> 785K   93M eth0_in    all  --  eth0   *       0.0.0.0/0            0.0.0.0/0<br>    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'<br>    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>                                                                                                                                                                                    <br>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>    0     0 accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID<br>    0     0 eth0_fwd   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0<br>    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'<br>    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>                                                                                                                                                                                    <br>Chain OUTPUT (policy DROP 1 packets, 60 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> 679K  182M ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0<br> 922K  618M accounting  all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 DROP      !icmp --  *      *       0.0.0.0/0            0.0.0.0/0          state INVALID<br> 922K  618M fw2net     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0<br>    0     0 common     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br>    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0          LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'<br>    0     0 reject     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br></pre>
 Here is the eth0_in chain:<br>
 <pre style="margin-left: 40px;">Chain eth0_in (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br> 785K   93M dynamic    all  --  *      *       0.0.0.0/0            0.0.0.0/0<br> 785K   93M net2fw     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br></pre>
 The "dynamic" chain above is where dynamic blacklisting is done.<br>
 <br>
 Next comes the <span style="font-weight: bold;">Nat </span>table:<br>
 <pre style="margin-left: 40px;">NAT Table<br> <br>Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>20005 1314K net_dnat   all  --  eth0   *       0.0.0.0/0            0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain net_dnat (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br>  638 32968 REDIRECT   tcp  --  *      *       0.0.0.0/0           !206.124.146.177    tcp dpt:80 redir ports 3128<br></pre>
 And finally, the <span style="font-weight: bold;">Mangle </span>table:&nbsp;<br>
 <pre style="margin-left: 40px;">Mangle Table<br> <br>Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>1464K  275M pretos     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br> <br>Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br>1601K  800M outtos     all  --  *      *       0.0.0.0/0            0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target     prot opt in     out     source               destination<br> <br>Chain outtos (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10<br> 315K  311M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10<br>  683 59143 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10<br> 3667 5357K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08<br> <br>Chain pretos (1 references)<br> pkts bytes target     prot opt in     out     source               destination<br> 271K   15M TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:22 TOS set 0x10<br>  730 41538 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:21 TOS set 0x10<br>    0     0 TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp spt:20 TOS set 0x08<br> 2065  111K TOS        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS set 0x08<br></pre>
 <pre style="margin-left: 40px;"></pre>
 </div>
 </div>
 <p align="left"><font size="2">Last updated 10/14/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
 <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/News.htm
+++ b/Shorewall-docs/News.htm
@ -8,17 +8,287 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall News Archive<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+<p><b>11/07/2003 - Shorewall 1.4.8<br>
-  <tbody>
+<br>
-    <tr>
+</b>Problems Corrected since version 1.4.7:<br>
-      <td width="100%">
+</p>
-      <h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
+<ol>
-      </td>
+  <li>Tuomo Soini has supplied a correction to a problem that occurs
-    </tr>
+using some versions of 'ash'. The symptom is that "shorewall start"
-  </tbody>
+fails with:<br>
-</table>
+&nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.</li>
  <li>Andres Zhoglo has supplied a correction that avoids trying to use
 the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
    <br>
  </li>
  <li>Previously, if the following error message was issued, Shorewall
 was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
    <br>
  </li>
  <li>Handling of the LOGUNCLEAN option in shorewall.conf has been
 corrected.</li>
  <li>In Shorewall 1.4.2, an optimization was added. This optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
  <li>When the MARK value in a tcrules entry is followed by ":F" or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.</li>
  <li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
 option has been removed from shorewall.conf.</li>
  <li>Previously, neither the 'routefilter' interface option nor the
 ROUTE_FILTER parameter were working properly. This has been corrected
 (thanks to Eric Bowles for his analysis and patch). The definition of
 the ROUTE_FILTER option has changed however. Previously,
 ROUTE_FILTER=Yes was documented as enabling route filtering on all
 interfaces (which didn't work). Beginning with this release, setting
 ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
 up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
 coexist with the use of the 'routefilter' option in the interfaces file.</li>
  <li>If MAC verification was enabled on an interface with a /32
 address and a broadcast address then an error would occur during
 startup.</li>
  <li>The NONE policy's intended use is to suppress the generating of
 rules that can't possibly be traversed. This means that a policy of
 NONE is inappropriate where the source or destination zone is $FW or
 "all". Shorewall now generates an error message if such a policy is
 given in /etc/shorewall/policy. Previously such a policy caused
 "shorewall start" to fail.</li>
  <li>The 'routeback' option was broken for wildcard interfaces (e.g.,
 "tun+"). This has been corrected so that 'routeback' now works as
 expected in this case.<br>
  </li>
 </ol>
 Migration Issues:<br>
 <ol>
  <li>The definition of the ROUTE_FILTER option in shorewall.conf has
 changed as described in item 8) above.<br>
  </li>
 </ol>
 New Features:<br>
 <ol>
  <li>A new QUEUE action has been introduced for rules. QUEUE allows
 you to pass connection requests to a user-space filter such as ftwall
 (http://p2pwall.sourceforge.net). The ftwall program allows for
 effective filtering of p2p applications such as Kazaa. For example, to
 use ftwall to filter P2P clients in the 'loc' zone, you would add the
 following rules:<br>
    <br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
    <br>
 You would normally want to place those three rules BEFORE any ACCEPT
 rules for loc-&gt;net udp or tcp.<br>
    <br>
 Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
  <li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
 this option is set to "Yes", the blacklists (dynamic and static) are
 only consulted for new connection requests. When set to "No" (the
 default if the variable is not set), the blacklists are consulted on
 every packet.<br>
    <br>
 Setting this option to "No" allows blacklisting to stop existing
 connections from a newly blacklisted host but is more expensive in
 terms of packet processing time. This is especially true if the
 blacklists contain a large number of entries.</li>
  <li>Chain names used in the /etc/shorewall/accounting file may now
 begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
 </ol>
 <p><b>10/30/2003 - Shorewall 1.4.8 RC1<br>
 </b></p>
 Given the small number of new features and the relatively few lines of
 code that were changed, there will be no Beta for 1.4.8.<br>
 <p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
 <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
 <br>
 </b>Problems Corrected since version 1.4.7:<br>
 </p>
 <ol>
  <li>Tuomo Soini has supplied a correction to a problem that occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.</li>
  <li>Andres Zhoglo has supplied a correction that avoids trying to use
 the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
    <br>
  </li>
  <li>Previously, if the following error message was issued, Shorewall
 was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
    <br>
  </li>
  <li>Handling of the LOGUNCLEAN option in shorewall.conf has been
 corrected.</li>
  <li>In Shorewall 1.4.2, an optimization was added. This optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
  <li>When the MARK value in a tcrules entry is followed by ":F" or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.</li>
  <li>An incorrect comment concerning Debian's use of the SYBSYSLOCK
 option has been removed from shorewall.conf.</li>
  <li>Previously, neither the 'routefilter' interface option nor the
 ROUTE_FILTER parameter were working properly. This has been corrected
 (thanks to Eric Bowles for his analysis and patch). The definition of
 the ROUTE_FILTER option has changed however. Previously,
 ROUTE_FILTER=Yes was documented as enabling route filtering on all
 interfaces (which didn't work). Beginning with this release, setting
 ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
 up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
 coexist with the use of the 'routefilter' option in the interfaces file.</li>
 </ol>
 Migration Issues:<br>
 <ol>
  <li>The definition of the ROUTE_FILTER option in shorewall.conf has
 changed as described in item 8) above.<br>
  </li>
 </ol>
 New Features:<br>
 <ol>
  <li>A new QUEUE action has been introduced for rules. QUEUE allows
 you to pass connection requests to a user-space filter such as ftwall
 (http://p2pwall.sourceforge.net). The ftwall program allows for
 effective filtering of p2p applications such as Kazaa. For example, to
 use ftwall to filter P2P clients in the 'loc' zone, you would add the
 following rules:<br>
    <br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
    <br>
 You would normally want to place those three rules BEFORE any ACCEPT
 rules for loc-&gt;net udp or tcp.<br>
    <br>
 Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
  <li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
 this option is set to "Yes", the blacklists (dynamic and static) are
 only consulted for new connection requests. When set to "No" (the
 default if the variable is not set), the blacklists are consulted on
 every packet.<br>
    <br>
 Setting this option to "No" allows blacklisting to stop existing
 connections from a newly blacklisted host but is more expensive in
 terms of packet processing time. This is especially true if the
 blacklists contain a large number of entries.</li>
  <li>Chain names used in the /etc/shorewall/accounting file may now
 begin with a digit ([0-9]) and may contain embedded dashes ("-").<br>
  </li>
 </ol>
 <b></b>
 <p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
 awards </b><b><img
 style="border: 0px solid ; width: 50px; height: 80px;"
 src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
 1.4.7c released.</b></p>
 <ol>
  <li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c
 script produces a ruleset that should work for everyone even if it is
 not quite optimal. My apologies for this ongoing mess.<br>
  </li>
 </ol>
 <p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
 This is a bugfx rollup of the 1.4.7a fixes plus:<br>
 <ol>
  <li>The fix for problem 5 in 1.4.7a was wrong with the result that
 "&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
 is corrected in this release.<br>
  </li>
 </ol>
 <p><b>10/21/2003 - Shorewall 1.4.7a<br>
 </b></p>
 <p>This is a bugfix rollup of the following problem corrections:<br>
 </p>
 <ol>
  <li>Tuomo Soini has supplied a correction to a problem that occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.<br>
    <br>
  </li>
  <li>Andres Zhoglo has supplied a correction that avoids trying to use
 the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
    <br>
  </li>
  <li>Previously, if the following error message was issued, Shorewall
 was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through
 interface xxx<br>
    <br>
  </li>
  <li>Handling of the LOGUNCLEAN option in shorewall.conf has been
 corrected.</li>
  <li>In Shorewall 1.4.2, an optimization was added. This optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
  <li>When the MARK value in a tcrules entry is followed by ":F" or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.<br>
  </li>
 </ol>
 <p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
 </b></p>
 <b>Problems Corrected since version 1.4.6 (Those in bold font were
@ -290,7 +560,7 @@ where we started.<br>
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
  <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
- href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
+ href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.</li>
 </ol>
 <p><b>10/02/2003 - Shorewall 1.4.7 RC2</b><b><br>
@ -555,7 +825,7 @@ where we started.<br>
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
  <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
- href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
+ href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.</li>
 </ol>
 <p><b>9/18/2003 - Shorewall 1.4.7 RC 1</b><b><br>
@ -997,7 +1267,7 @@ where we started.<br>
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
  <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
- href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
+ href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.</li>
 </ol>
 <p><b>8/27/2003 - Shorewall Mirror in Australia</b></p>
@ -1554,8 +1824,7 @@ ADDRESS column in /etc/shorewall/masq may now include a comma-separated
 list of addresses and/or address ranges. Netfilter will use all listed
 addresses/ranges in round-robin fashion. \</li>
  <li>An /etc/shorewall/accounting file has been added to allow for
-traffic accounting.&nbsp; See the <a
+traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
 href="file:///vfat/Shorewall-docs/Accounting.html">accounting
 documentation</a> for a description of this facility.</li>
  <li>Bridge interfaces (br[0-9]) may now be used in
 /etc/shorewall/maclist.</li>
@ -4550,7 +4819,7 @@ deleted.</li>
 an additional "gw" (gateway) zone for tunnels and it supports IPSEC
 tunnels with end-points on the firewall. There is also a .lrp available
 now.</b></p>
-<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2">Updated 11/07/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/OPENVPN.html
+++ b/Shorewall-docs/OPENVPN.html
@ -1,65 +1,39 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>OpenVPN Tunnels</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">OpenVPN Tunnels<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+Network) daemon which can be used to securely link two or more private
-     <tbody>
+networks using an encrypted tunnel over the internet. OpenVPN is an
-       <tr>
+Open Source project and is <a
-       <td width="100%">       
+ href="http://openvpn.sourceforge.net/license.html">licensed under the
-      <h1 align="center"><font color="#ffffff">OpenVPN Tunnels</font></h1>
+GPL</a>. OpenVPN can be downloaded from <a
       </td>
     </tr>
  </tbody> 
 </table>
 <h3><br>
   </h3>
 <p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network) 
 daemon which can be used to securely link two or more private networks using 
 an encrypted tunnel over the internet. OpenVPN is an Open Source project 
 and is <a href="http://openvpn.sourceforge.net/license.html">licensed under 
 the GPL</a>. OpenVPN can be downloaded from <a
 href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
-   </p>
+</p>
 <p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
-   </p>
+</p>
 <h2>Bridging two Masqueraded Networks</h2>
 <p>Suppose that we have the following situation:</p>
 <p align="center"><img border="0" src="images/TwoNets1.png" width="745"
- height="427">
+ height="427"> </p>
-  </p>
+<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
-  
+able to communicate with the systems in the 10.0.0.0/8 network. This is
-<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able 
+accomplished through use of the /etc/shorewall/tunnels file and the
- to communicate with the systems in the 10.0.0.0/8 network. This is accomplished 
+/etc/shorewall/policy file and OpenVPN.</p>
- through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy 
+<p align="left">While it was possible to use the Shorewall start and
- file and OpenVPN.</p>
+stop script to start and stop OpenVPN, I decided to use the init script
-  
+of OpenVPN to start and stop it.</p>
-<p align="left">While it was possible to use the Shorewall start and stop 
+<p align="left">On each firewall, you will need to declare a zone to
- script to start and stop OpenVPN, I decided to use the init script of OpenVPN 
+represent the remote subnet. We'll assume that this zone is called
- to start and stop it.</p>
+'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
 <p align="left">On each firewall, you will need to declare a zone to represent 
 the remote subnet. We'll assume that this zone is called 'vpn' and declare 
 it in  /etc/shorewall/zones on both systems as follows.</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -73,14 +47,12 @@ the GPL</a>. OpenVPN can be downloaded from <a
        <td>VPN</td>
        <td>Remote Subnet</td>
      </tr>
    </tbody>
  </table>
-    </blockquote>
+</blockquote>
-  
+<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
-<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
+zone.
 In /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -95,15 +67,13 @@ In /etc/shorewall/interfaces:</p>
        <td>tun0</td>
        <td><br>
        </td>
-         <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p align="left">In /etc/shorewall/tunnels on system A, we need the
-<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
+following:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -117,19 +87,16 @@ In /etc/shorewall/interfaces:</p>
        <td>openvpn</td>
        <td>net</td>
        <td>134.28.54.2</td>
-         <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>This entry in /etc/shorewall/tunnels opens the firewall so that
-<p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN 
+OpenVPN traffic on the default port 5000/udp will be accepted to/from
- traffic on the default port 5000/udp will be accepted to/from the remote 
+the remote gateway. If you change the port used by OpenVPN to 7777, you
-gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels 
+can define&nbsp;/etc/shorewall/tunnels like this:<br>
- like this:<br>
+</p>
   </p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -143,38 +110,32 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
        <td>openvpn:7777</td>
        <td>net</td>
        <td>134.28.54.2</td>
-         <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
 <p>This is the OpenVPN config on system A:</p>
 <blockquote>
  <p></p>
-   </blockquote>
+</blockquote>
 <blockquote>
  <p>dev tun<br>
-   local 206.162.148.9<br>
+local 206.162.148.9<br>
-   remote 134.28.54.2<br>
+remote 134.28.54.2<br>
-   ifconfig 192.168.99.1 192.168.99.2<br>
+ifconfig 192.168.99.1 192.168.99.2<br>
-   up ./route-a.up<br>
+up ./route-a.up<br>
-   tls-server<br>
+tls-server<br>
-   dh dh1024.pem<br>
+dh dh1024.pem<br>
-   ca ca.crt<br>
+ca ca.crt<br>
-   cert my-a.crt<br>
+cert my-a.crt<br>
-   key my-a.key<br>
+key my-a.key<br>
-   comp-lzo<br>
+comp-lzo<br>
-   verb 5<br>
+verb 5<br>
  </p>
-   </blockquote>
+</blockquote>
 <p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
- zone. In /etc/shorewall/interfaces:</p>
+zone. In /etc/shorewall/interfaces:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -188,15 +149,12 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
        <td>vpn</td>
        <td>tun0</td>
        <td>192.168.1.255</td>
-         <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
 <p>In /etc/shorewall/tunnels on system B, we have:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -210,34 +168,29 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
        <td>openvpn</td>
        <td>net</td>
        <td>206.191.148.9</td>
-         <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>And in the&nbsp;OpenVPN config on system B:</p>
 <p>And in the OpenVPN config on system B:</p>
 <blockquote>
  <p>dev tun<br>
-   local 134.28.54.2<br>
+local 134.28.54.2<br>
-   remote 206.162.148.9<br>
+remote 206.162.148.9<br>
-   ifconfig 192.168.99.2 192.168.99.1<br>
+ifconfig 192.168.99.2 192.168.99.1<br>
-   up ./route-b.up<br>
+up ./route-b.up<br>
-   tls-client<br>
+tls-client<br>
-   ca ca.crt<br>
+ca ca.crt<br>
-   cert my-b.crt<br>
+cert my-b.crt<br>
-   key my-b.key<br>
+key my-b.key<br>
-   comp-lzo<br>
+comp-lzo<br>
-   verb 5<br>
+verb 5<br>
  </p>
-   </blockquote>
+</blockquote>
-  
+<p align="left">You will need to allow traffic between the "vpn" zone
-<p align="left">You will need to allow traffic between the "vpn" zone and 
+and the "loc" zone on both systems -- if you simply want to admit all
-       the "loc" zone on both systems -- if you simply want to admit all traffic
+traffic in both directions, you can use the policy file:</p>
       in both directions, you can use the policy file:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -251,34 +204,29 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
        <td>loc</td>
        <td>vpn</td>
        <td>ACCEPT</td>
-             <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>vpn</td>
        <td>loc</td>
        <td>ACCEPT</td>
-             <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>On both systems, restart Shorewall and start OpenVPN. The systems in
-<p>On both systems, restart Shorewall and start OpenVPN. The systems in the 
+the two masqueraded subnetworks can now talk to each other.</p>
 two masqueraded subnetworks can now talk to each other.</p>
 <p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
 <small>and Simon Mater</small><br>
-  </p>
+</p>
 <p><font size="2"> </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- © <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
+© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
-  </font></a></font></p>
+</font></a></font></p>
-   <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/PPTP.htm
+++ b/Shorewall-docs/PPTP.htm
@ -9,17 +9,8 @@
  <title>Shorewall PPTP</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">PPTP<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">PPTP</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h4>NOTE: I am no longer attempting to maintain MPPE patches for
 current
 Linux kernel's and pppd. I recommend that you refer to the following
@ -263,9 +254,191 @@ status)<br>
 esac</font></p>
 </blockquote>
 <h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
-<p>I consider hosts connected to my PPTP server to be just like local
+<h4><span style="text-decoration: underline;">Basic Setup</span><br>
-systems.
+</h4>
-My key Shorewall entries are:</p>
+<p>Here' a basic setup that treats your remote users as if they were
 part of your <span style="font-weight: bold;">loc</span> zone. Note
 that if your primary internet connection uses ppp0, then be sure that <span
 style="font-weight: bold;">loc</span> follows <span
 style="font-weight: bold;">net</span> in /etc/shorewall/zones.<br>
 </p>
 <p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
 </p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><strong> TYPE</strong></td>
        <td><strong> ZONE</strong></td>
        <td><strong> GATEWAY</strong></td>
        <td><strong> GATEWAY ZONE</strong></td>
      </tr>
      <tr>
        <td>pptpserver<br>
        </td>
        <td>net</td>
        <td>0.0.0.0/0<br>
        </td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p><span style="font-weight: bold;">/etc/shorewall/interfaces:</span><br>
 </p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ZONE</b></td>
        <td><b>INTERFACE</b></td>
        <td><b>BROADCAST</b></td>
        <td><b>OPTIONS</b></td>
      </tr>
      <tr>
        <td>loc<br>
        </td>
        <td>ppp+</td>
        <td>&nbsp;-</td>
        <td><br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <h4 style="text-decoration: underline;">Remote Users in a Separate Zone</h4>
 If you want to place your remote users in their own zone so that you
 can control connections between these users and the local network,
 follow this example. Note that if your primary internet connection uses
 ppp0 then be sure that <span style="font-weight: bold;">vpn</span>
 follows <span style="font-weight: bold;">net</span> in
 /etc/shorewall/zones as shown below.<br>
 <br>
 <span style="font-weight: bold;">/etc/shorewall/tunnels:<br>
 </span>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><strong> TYPE</strong></td>
        <td><strong> ZONE</strong></td>
        <td><strong> GATEWAY</strong></td>
        <td><strong> GATEWAY ZONE</strong></td>
      </tr>
      <tr>
        <td>pptpserver<br>
        </td>
        <td>net</td>
        <td>0.0.0.0/0<br>
        </td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <span style="font-weight: bold;">/etc/shorewall/zones:<br>
 </span>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ZONE</b></td>
        <td><b>DISPLAY</b></td>
        <td><b>COMMENTS</b></td>
      </tr>
      <tr>
        <td>net</td>
        <td>Internet</td>
        <td>The Internet</td>
      </tr>
      <tr>
        <td>loc</td>
        <td>Local</td>
        <td>Local Network <br>
        </td>
      </tr>
      <tr>
        <td style="vertical-align: top;">vpn</td>
        <td style="vertical-align: top;">VPN<br>
        </td>
        <td style="vertical-align: top;">Remote Users<br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <h4>/etc/shorewall/interfaces:</h4>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ZONE</b></td>
        <td><b>INTERFACE</b></td>
        <td><b>BROADCAST</b></td>
        <td><b>OPTIONS</b></td>
      </tr>
      <tr>
        <td>net</td>
        <td>eth0</td>
        <td>206.124.146.255</td>
        <td>norfc1918</td>
      </tr>
      <tr>
        <td>loc</td>
        <td>eth2</td>
        <td>192.168.10.255</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>vpn<br>
        </td>
        <td>ppp+</td>
        <td>&nbsp;-</td>
        <td><br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 Your policies and rules may now be configured for traffic to/from the <span
 style="font-weight: bold;">vpn</span> zone.<br>
 <h4><span style="text-decoration: underline;">Multiple Remote Networks</span><br>
 </h4>
 <p>Often there will be situations where you want multiple connections
 from remote networks with these networks having different firewalling
 requirements.<br>
 </p>
 <div style="text-align: center;"><img src="images/MultiPPTP.png"
 title="" alt="" style="width: 846px; height: 544px;"><br>
 </div>
 <p>Here's how you configure this in Shorewall. Note that if your
 primary internet connection uses ppp0 then be sure that the <span
 style="font-weight: bold;">vpn{1-3}</span> zones follows <span
 style="font-weight: bold;">net</span> in /etc/shorewall/zones as shown
 below.<br>
 </p>
 <p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
 </p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><strong> TYPE</strong></td>
        <td><strong> ZONE</strong></td>
        <td><strong> GATEWAY</strong></td>
        <td><strong> GATEWAY ZONE</strong></td>
      </tr>
      <tr>
        <td>pptpserver<br>
        </td>
        <td>net</td>
        <td>0.0.0.0/0<br>
        </td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <h4>/etc/shorewall/zones:</h4>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -283,7 +456,31 @@ My key Shorewall entries are:</p>
      <tr>
        <td>loc</td>
        <td>Local</td>
-        <td>My Local Network including remote PPTP clients</td>
+        <td>Local Network <br>
        </td>
      </tr>
      <tr>
        <td style="vertical-align: top;">vpn1</td>
        <td style="vertical-align: top;">Remote1<br>
        </td>
        <td style="vertical-align: top;">Remote Network 1<br>
        </td>
      </tr>
      <tr>
        <td style="vertical-align: top;">vpn2<br>
        </td>
        <td style="vertical-align: top;">Remote2<br>
        </td>
        <td style="vertical-align: top;">Remote Network 2<br>
        </td>
      </tr>
      <tr>
        <td style="vertical-align: top;">vpn3<br>
        </td>
        <td style="vertical-align: top;">Remote3<br>
        </td>
        <td style="vertical-align: top;">Remote Network 3<br>
        </td>
      </tr>
    </tbody>
  </table>
@ -307,13 +504,13 @@ My key Shorewall entries are:</p>
      <tr>
        <td>loc</td>
        <td>eth2</td>
-        <td>192.168.1.255</td>
+        <td>192.168.10.255</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>-</td>
        <td>ppp+</td>
-        <td>&nbsp;</td>
+        <td>&nbsp;-</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
@ -329,151 +526,32 @@ My key Shorewall entries are:</p>
        <td><b>OPTIONS</b></td>
      </tr>
      <tr>
-        <td>loc</td>
+        <td>vpn1<br>
        <td>eth2:192.168.1.0/24</td>
        <td><br>
        </td>
      </tr>
      <tr>
        <td>loc</td>
        <td>ppp+:192.168.1.0/24</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <h4>/etc/shorewall/policy:</h4>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
-        <td><b>SOURCE</b></td>
+        <td style="vertical-align: top;">vpn2<br>
        <td><b>DEST</b></td>
        <td><b>POLICY</b></td>
        <td><b>LOG LEVEL</b></td>
      </tr>
      <tr>
        <td>loc</td>
        <td>loc</td>
        <td>ACCEPT</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <h4>/etc/shorewall/rules (For Shorewall versions up to and including
 1.3.9b):</h4>
 <blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ACTION</b></td>
        <td><b>SOURCE</b></td>
        <td><b>DEST</b></td>
        <td><b> PROTO</b></td>
        <td><b>DEST<br>
 PORT(S)</b></td>
        <td><b>SOURCE<br>
 PORT(S)</b></td>
        <td><b>ORIGINAL<br>
 DEST</b></td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>net</td>
        <td>fw</td>
        <td>tcp</td>
        <td>1723</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>net</td>
        <td>fw</td>
        <td>47</td>
        <td>-</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>fw</td>
        <td>net</td>
        <td>47</td>
        <td>-</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions
 1.3.10 and
 later)<br>
 </b></p>
 <blockquote>
  <table cellpadding="2" border="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td valign="top"><b>TYPE<br>
        </b></td>
        <td valign="top"><b>ZONE<br>
        </b></td>
        <td valign="top"><b>GATEWAY<br>
        </b></td>
        <td valign="top"><b>GATEWAY ZONE<br>
        </b></td>
      </tr>
      <tr>
        <td valign="top">pptpserver<br>
        </td>
-        <td valign="top">net<br>
+        <td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
        </td>
-        <td valign="top">0.0.0.0/0<br>
+        <td style="vertical-align: top;"><br>
        </td>
-        <td valign="top"><br>
+      </tr>
      <tr>
        <td style="vertical-align: top;">vpn3<br>
        </td>
        <td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
        </td>
        <td style="vertical-align: top;"><br>
        </td>
      </tr>
    </tbody>
  </table>
 </blockquote>
-<p align="left"><br>
+Your policies and rules can now be configured using separate zones
-Note: I have multiple ppp interfaces on my firewall. If you have a
+(vpn1, vpn2, and vpn3) for the three remote network.<br>
 single
 ppp interface, you probably want:</p>
 <h4>/etc/shorewall/interfaces:</h4>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ZONE</b></td>
        <td><b>INTERFACE</b></td>
        <td><b>BROADCAST</b></td>
        <td><b>OPTIONS</b></td>
      </tr>
      <tr>
        <td>net</td>
        <td>eth0</td>
        <td>206.124.146.255</td>
        <td>norfc1918</td>
      </tr>
      <tr>
        <td>loc</td>
        <td>eth2</td>
        <td>192.168.1.255</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>loc</td>
        <td>ppp0</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
 <h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
 Behind
 your Firewall</h2>
@ -968,7 +1046,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
 That entry allows a PPTP tunnel to be established between your
 Shorewall system and the PPTP server in the modem.<br>
 </div>
-<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
+<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
--- a/Shorewall-docs/ProxyARP.htm
+++ b/Shorewall-docs/ProxyARP.htm
@ -1,53 +1,32 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Proxy ARP</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Proxy ARP<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+<p>Proxy ARP allows you to insert a firewall in front of a set of
- bgcolor="#3366ff" height="90">
+servers without changing their IP addresses and without having to
-           <tbody>
+re-subnet. Before you try to use this technique, I strongly recommend
-        <tr>
+that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
-             <td width="100%">       
+Guide.</a></p>
      <h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
             </td>
           </tr>
  </tbody> 
 </table>
 <p>Proxy ARP allows you to insert a firewall in front of a set of servers 
      without changing their IP addresses and without having to re-subnet. 
 Before you try to use this technique, I strongly recommend that you read 
 the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
 <p>The following figure represents a Proxy ARP environment.</p>
 <blockquote>
-  <p align="center"><strong>     <img src="images/proxyarp.png"
+  <p align="center"><strong> <img src="images/proxyarp.png" width="519"
- width="519" height="397">
+ height="397"> </strong></p>
      </strong></p>
  <blockquote> </blockquote>
-     </blockquote>
+</blockquote>
-  
+<p align="left">Proxy ARP can be used to make the systems with
-<p align="left">Proxy ARP can be used to make the systems with addresses 
+addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
-   130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) 
+(130.252.100.*) subnet.&nbsp; Assuming that the upper firewall
-      subnet.  Assuming that the upper firewall interface is eth0 and the 
+interface is eth0 and the lower interface is eth1, this is accomplished
-     lower interface is eth1, this is accomplished using the following entries 
+using the following entries in /etc/shorewall/proxyarp:</p>
 in      /etc/shorewall/proxyarp:</p>
 <blockquote>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
@ -69,124 +48,118 @@ the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
        <td>eth0</td>
        <td>no</td>
      </tr>
    </tbody>
  </table>
-     </blockquote>
+</blockquote>
-  
+<p>Be sure that the internal systems (130.242.100.18 and
-<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19  
+130.252.100.19&nbsp; in the above example) are not included in any
-   in the above example) are not included in any specification in      /etc/shorewall/masq 
+specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
-or /etc/shorewall/nat.</p>
+<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
-  
+is irrelevant. </p>
-<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is 
+<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
-      irrelevant. </p>
+their subnet mask and default gateway configured exactly the same way
-  
+that the Firewall system's eth0 is configured. In other words, they
-<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their 
+should be configured just like they would be if they were parallel to
-      subnet mask and default gateway configured exactly the same way that 
+the firewall rather than behind it.<br>
- the      Firewall system's eth0 is configured.  In other words, they should 
+</p>
-be configured just like they would be if they were parallel to the firewall 
+<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
-rather than behind it.<br>
+address(es) (130.252.100.18 and 130.252.100.19 in the above
-  </p>
+example)&nbsp; to the external interface (eth0 in this example) of the
-  
+firewall.</b></font><br>
-<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es) 
+</p>
 (130.252.100.18 and 130.252.100.19 in the above example)  to the external 
 interface (eth0 in this example) of the firewall.</b></font><br>
                      </p>
 <div align="left"> </div>
 <div align="left">
-<p align="left">A word of warning is in order here. ISPs typically configure 
+<p align="left">A word of warning is in order here. ISPs typically
-    their routers with a long ARP cache timeout. If you move a system from 
+configure their routers with a long ARP cache timeout. If you move a
-    parallel to your firewall to behind your firewall with Proxy ARP, it
+system from parallel to your firewall to behind your firewall with
-will     probably be HOURS before that system can communicate with the internet. 
+Proxy ARP, it
- There are a couple of things that you can try:<br>
+will probably be HOURS before that system can communicate with the
-    </p>
+internet. There are a couple of things that you can try:<br>
-  
+</p>
 <ol>
  <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
 Illustrated, Vol 1</i> reveals that a <br>
    <br>
-    "gratuitous" ARP packet should cause the ISP's router to refresh their 
+"gratuitous" ARP packet should cause the ISP's router to refresh their
-ARP  cache (section 4.7). A gratuitous ARP is simply a host requesting the 
+ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
-MAC  address for its own IP; in addition to ensuring that the IP address
+the MAC address for its own IP; in addition to ensuring that the IP
 address
 isn't a duplicate...<br>
    <br>
-    "if the host sending the gratuitous ARP has just changed its hardware 
+"if the host sending the gratuitous ARP has just changed its hardware
-address...,  this packet causes any other host...that has an entry in its 
+address..., this packet causes any other host...that has an entry in
-cache for the  old hardware address to update its ARP cache entry accordingly."<br>
+its cache for the old hardware address to update its ARP cache entry
 accordingly."<br>
    <br>
-    Which is, of course, exactly what you want to do when you switch a host 
+Which is, of course, exactly what you want to do when you switch a host
- from being exposed to the Internet to behind Shorewall using proxy ARP (or 
+from being exposed to the Internet to behind Shorewall using proxy ARP
- static NAT for that matter). Happily enough, recent versions of Redhat's 
+(or one-to-one NAT for that matter). Happily enough, recent versions of
-iputils package include "arping", whose "-U" flag does just that:<br>
+Redhat's iputils package include "arping", whose "-U" flag does just
 that:<br>
    <br>
-        <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly 
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I <i>&lt;net
-proxied  IP&gt;</i></b></font><br>
+if&gt; &lt;newly proxied IP&gt;</i></b></font><br>
-        <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
 66.58.99.83 # for example</b></font><br>
    <br>
-    Stevens goes on to mention that not all systems respond correctly to
+Stevens goes on to mention that not all systems respond correctly to
 gratuitous ARPs, but googling for "arping -U" seems to support the idea
 that it works most of the time.<br>
    <br>
-   To use arping with Proxy ARP in the above example, you would have to:<br>
+To use arping with Proxy ARP in the above example, you would have to:<br>
    <br>
-       <font color="#009900"><b>    shorewall clear<br>
+    <font color="#009900"><b>&nbsp; &nbsp; shorewall clear<br>
-       </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 
+    </b></font>&nbsp; &nbsp; <font color="#009900"><b>ip addr add
-dev  eth0<br>
+130.252.100.18 dev eth0<br>
-       ip addr add 130.252.100.19 dev eth0</b></font><br>
+&nbsp; &nbsp; ip addr add 130.252.100.19 dev eth0</b></font><br>
-        <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
+&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
-       <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
+130.252.100.18</b></font><br>
-       <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
+&nbsp; &nbsp; <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
-       ip addr del 130.252.100.19 dev eth0<br>
+&nbsp; &nbsp; <b><font color="#009900">ip addr del 130.252.100.18 dev
-       shorewall start</font></b><br>
+eth0<br>
 &nbsp; &nbsp; ip addr del 130.252.100.19 dev eth0<br>
 &nbsp; &nbsp; shorewall start</font></b><br>
    <br>
  </li>
  <li>You can call your ISP and ask them to purge the stale ARP cache
- entry but many    either can't or won't purge individual entries.</li>
+entry but many either can't or won't purge individual entries.</li>
 </ol>
-    You can determine if your    ISP's gateway ARP cache is stale using ping 
+You can determine if your ISP's gateway ARP cache is stale using ping
- and tcpdump. Suppose that we    suspect that the gateway router has a stale 
+and tcpdump. Suppose that we suspect that the gateway router has a
- ARP cache entry for 130.252.100.19.    On the firewall, run tcpdump as follows:</div>
+stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
-  
+as follows:</div>
 <div align="left">
 <pre>	<font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
-     </div>
+</div>
 <div align="left">
-<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we 
+<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
- will    assume is 130.252.100.254):</p>
+we will assume is 130.252.100.254):</p>
-    </div>
+</div>
 <div align="left">
 <pre>	<b><font color="#009900">ping 130.252.100.254</font></b></pre>
-     </div>
+</div>
 <div align="left">
 <p align="left">We can now observe the tcpdump output:</p>
-    </div>
+</div>
 <div align="left">
 <pre>	13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br>	13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
-     </div>
+</div>
 <div align="left">
-<p align="left">Notice that the source MAC address in the echo request is 
+<p align="left">Notice that the source MAC address in the echo request
-    different from the destination MAC address in the echo reply!! In this 
+is different from the destination MAC address in the echo reply!! In
- case    0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 
+this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
-    was the MAC address of the system on the lower left. In other words,
+0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
 In other words,
 the gateway's ARP cache still associates 130.252.100.19 with the NIC
 in that system rather than with the firewall's eth0.</p>
-    </div>
+</div>
-  
+<p><font size="2">Last updated 11/13/2003 - </font><font size="2"> <a
 <p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-     <a href="copyright.htm"><font size="2">Copyright</font>  © <font
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/SeattleInTheSpring.html
+++ b/Shorewall-docs/SeattleInTheSpring.html
@ -1,53 +1,34 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Springtime in Seattle!!!</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-  
+-+
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
     <tbody>
      <tr>
       <td width="100%">       
      <h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
       </td>
     </tr>
  </tbody> 
 </table>
 <h3><font color="#ff6633"></font></h3>
-  <img src="images/P1000048.jpg" alt="" width="640" height="480">
+<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
-  <br>
+</h1>
-  <br>
+<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
-  <b>March 6, 2003 - Nice day for a walk....</b><br>
+<br>
-  <br>
+<b>March 6, 2003 - Nice day for a walk....</b><br>
-  <img src="images/P1000050.jpg" alt="" width="640" height="480">
+<br>
- <br>
+<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
-  <br>
+<br>
- <br>
+<br>
- <img src="images/P1000049.jpg" alt="" width="480" height="640">
+<img src="images/P1000049.jpg" alt="" width="480" height="640">
-  
+<p><b>The view from my office window -- think I'll go out and enjoy the
-<p><b>The view from my office window -- think I'll go out and enjoy the deck 
+deck (Yes -- that is snow on the deck...)</b>.<br>
-(Yes -- that is snow on the deck...)</b>.<br>
+</p>
  </p>
 <p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
-    <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_CA_html.html
+++ b/Shorewall-docs/Shorewall_CA_html.html
@ -2,93 +2,79 @@
 <html>
 <head>
  <title>Shorewall Certificate Authority</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
-<table border="0" cellpadding="0" cellspacing="0"
+Certificate<br>
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+</h1>
- bgcolor="#3366ff" height="90">
+Given that I develop and support Shorewall without asking for any
-           <tbody>
+renumeration, I can hardly justify paying $200US+ a year to a
-            <tr>
+Certificate Authority such as Thawte (A Division of VeriSign) for an
-             <td width="100%">        
+X.509 certificate to prove that I am who I am. I have therefore
-      <h1 align="center"><font color="#ffffff">Shorewall Certificate Authority 
+established my own Certificate Authority (CA) and sign my own X.509
- (CA) Certificate</font></h1>
+certificates. I use these certificates on my list server (<a
-             </td>
+ href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
           </tr>
  </tbody> 
 </table>
   <br>
   Given that I develop and support Shorewall without asking for any renumeration, 
 I can hardly justify paying $200US+ a year to a Certificate Authority such 
 as Thawte (A Division of VeriSign) for an X.509 certificate to prove that 
 I am who I am. I have therefore established my own Certificate Authority 
 (CA) and sign my own X.509 certificates. I use these certificates on my list 
 server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>) 
 which hosts parts of this web site.<br>
-   <br>
+<br>
-   X.509 certificates are the basis for the Secure Socket Layer (SSL). As 
+X.509 certificates are the basis for the Secure Socket Layer (SSL). As
-part  of establishing an SSL session (URL https://...), your browser verifies 
+part of establishing an SSL session (URL https://...), your browser
-the  X.509 certificate supplied by the HTTPS server against the set of Certificate 
+verifies the X.509 certificate supplied by the HTTPS server against the
- Authority Certificates that were shipped with your browser. It is expected 
+set of Certificate Authority Certificates that were shipped with your
- that the server's certificate was issued by one of the authorities whose 
+browser. It is expected that the server's certificate was issued by one
-identities are known to your browser. <br>
+of the authorities whose identities are known to your browser. <br>
-   <br>
+<br>
-   This mechanism, while supposedly guaranteeing that when you connect to 
+This mechanism, while supposedly guaranteeing that when you connect to
-https://www.foo.bar  you are REALLY connecting to www.foo.bar, means that 
+https://www.foo.bar you are REALLY connecting to www.foo.bar, means
-the CAs literally have  a license to print money -- they are selling a string 
+that the CAs literally have a license to print money -- they are
-of bits (an X.509 certificate)  for $200US+ per year!!!I <br>
+selling a string of bits (an X.509 certificate) for $200US+ per
-   <br>
+year!!!I <br>
-   I wish that I had decided to become a CA rather that designing and writing 
+<br>
- Shorewall.<br>
+I wish that I had decided to become a CA rather that designing and
-   <br>
+writing Shorewall.<br>
-   What does this mean to you? It means that the X.509 certificate that my 
+<br>
-server will present to your browser will not have been signed by one of the 
+What does this mean to you? It means that the X.509 certificate that my
-authorities known to your browser. If you try to connect to my server using 
+server will present to your browser will not have been signed by one of
-SSL, your browser will frown and give you a dialog box asking if you want 
+the authorities known to your browser. If you try to connect to my
-to accept the sleezy X.509 certificate being presented by my server. <br>
+server using SSL, your browser will frown and give you a dialog box
-   <br>
+asking if you want to accept the sleezy X.509 certificate being
-   There are two things that you can do:<br>
+presented by my server. <br>
-  
+<br>
 There are two things that you can do:<br>
 <ol>
-     <li>You can accept the mail.shorewall.net certificate when your browser 
+  <li>You can accept the mail.shorewall.net certificate when your
- asks -- your acceptence of the certificate can be temporary (for that access 
+browser asks -- your acceptence of the certificate can be temporary
- only) or perminent.</li>
+(for that access only) or perminent.</li>
-     <li>You can download and install <a href="ca.crt">my (self-signed) CA 
+  <li>You can download and install <a href="ca.crt">my (self-signed)
-certificate.</a> This will make my Certificate Authority known to your browser 
+CA certificate.</a> This will make my Certificate Authority known to
-so that it will accept any certificate signed by me. <br>
+your browser so that it will accept any certificate signed by me. <br>
  </li>
 </ol>
-   What are the risks?<br>
+What are the risks?<br>
 <ol>
-     <li>If you install my CA certificate then you assume that I am trustworthy 
+  <li>If you install my CA certificate then you assume that I am
- and that Shorewall running on your firewall won't redirect HTTPS requests 
+trustworthy and that Shorewall running on your firewall won't redirect
- intented to go to your bank's server to one of my systems that will present 
+HTTPS requests intented to go to your bank's server to one of my
-your browser with a bogus certificate claiming that my server is that of
+systems that will present your browser with a bogus certificate
 claiming that my server is that of
 your bank.</li>
  <li>If you only accept my server's certificate when prompted then the
-most that you have to loose is that when you connect to https://mail.shorewall.net, 
+most that you have to loose is that when you connect to
- the server you are connecting to might not be mine.</li>
+https://mail.shorewall.net, the server you are connecting to might not
-  
+be mine.</li>
 </ol>
-   I have my CA certificate loaded into all of my browsers but I certainly 
+I have my CA certificate loaded into all of my browsers but I certainly
 won't be offended if you decline to load it into yours... :-)<br>
 <p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
+ size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003
 Thomas M.
 Eastep.</font></a></font></p>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_CVS_Access.html
+++ b/Shorewall-docs/Shorewall_CVS_Access.html
@ -2,56 +2,38 @@
 <html>
 <head>
  <title>Shorewall CVS Access</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-  <body>
+<body>
-  
+<br>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall CVS Access<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+Lots of people try to download the entire Shorewall website for
-          <tbody>
+off-line browsing, including the CVS portion. In addition to being an
-          <tr>
+enormous volume of data (HTML versions of all versions of all Shorewall
-           <td width="100%">       
+files), all of the pages in Shorewall CVS access are cgi-generated
-      <h1 align="center"><font color="#ffffff">Shorewall CVS Access</font> 
+which places a tremendous load on my little server. I have therefore
-    </h1>
+resorted to making CVS access password controlled. When you are asked
-           <br>
+to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
-       </td>
+the user name and the password.<br>
-         </tr>
+<br>
  </tbody> 
 </table>
      <br>
      Lots of people try to download the entire Shorewall website for off-line 
  browsing, including the CVS portion. In addition to being an enormous volume 
  of data (HTML versions of all versions of all Shorewall files), all of the
  pages in Shorewall CVS access are cgi-generated which places a tremendous 
  load on my little server. I have therefore resorted to making CVS access 
 password controlled. When you are asked to log in, enter "Shorewall" (NOTE 
 THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
      <br>
 <div align="center">
 <h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
 target="_top">CVS Login</a> &nbsp;<br>
-     </h3>
+</h3>
-      </div>
+</div>
-  
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002 
+1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
  - <a href="support.htm">Tom Eastep</a>        </font>                 
         </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- &copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-       <br>
+<br>
-      <br>
+<br>
-     <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_Doesnt.html
+++ b/Shorewall-docs/Shorewall_Doesnt.html
@ -9,20 +9,11 @@
 <body>
 <small> </small><small> </small><small> </small><small> </small><small>
 </small> <small> </small>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%"><small> </small>
      <h1 align="center"><small><font color="#ffffff">Some things that
 Shorewall <b>Cannot</b> Do</font></small></h1>
      <small> </small></td>
    </tr>
  </tbody>
 </table>
 <small><br>
-</small>Shorewall cannot:<br>
+</small>
 <h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
 </h1>
 Shorewall cannot:<br>
 <ul>
  <li>Be used to filter traffic through a Layer 2 Bridge</li>
  <li>Act as a "Personal Firewall" that allows internet access by
@ -30,18 +21,28 @@ application.</li>
  <li>Be used with an Operating System other than Linux (version &gt;=
 2.4.0)<br>
  </li>
-  <li>Do content filtering -- better to use <a
+  <li>Do content filtering:</li>
- href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
+  <ul>
    <li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
 for that.</li>
    <li>Email -- Install something like <a
 href="http://www.postfix.org">Postfix</a> on your firewall and
 integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
 and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
    </li>
  </ul>
 </ul>
 In addition:<br>
 <ul>
-  <li>Shorewall does not contain any support for Netfilter <span
+  <li>Shorewall does not contain any support for Netfilter <a
- style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
+ href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
 style="font-style: italic;">Patch-O-Matic</span></a> features --
 Shorewall
 only supports features from released kernels.<br>
  </li>
 </ul>
 <br>
-<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
+<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
 Eastep</a></font>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/Shorewall_Squid_Usage.html
+++ b/Shorewall-docs/Shorewall_Squid_Usage.html
@ -7,19 +7,22 @@
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table cellpadding="0" cellspacing="0" border="0" width="100%"
+<table cellpadding="0" cellspacing="0" border="0"
- bgcolor="#3366ff">
+ style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
  <tbody>
    <tr>
-      <td valign="middle" width="33%" bgcolor="#3366ff"><a
+      <td valign="middle" width="33%" bgcolor="#3366ff"
 style="background-color: rgb(255, 255, 255);"><a
 href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
 alt="" width="88" height="31" hspace="4"> </a><br>
      </td>
-      <td valign="middle" height="90" align="center" width="34%">
+      <td valign="middle" height="90" align="center" width="34%"
-      <h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
+ style="background-color: rgb(255, 255, 255);">
      <h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
      <h1> </h1>
      </td>
-      <td valign="middle" height="90" width="33%" align="right"><a
+      <td valign="middle" height="90" width="33%" align="right"
 style="background-color: rgb(255, 255, 255);"><a
 href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
 alt="" width="100" height="31" hspace="4"> </a><br>
      </td>
@ -28,10 +31,14 @@
 </table>
 <br>
 This page covers Shorewall configuration to use with <a
- href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
+ href="http://www.squid-cache.org/">Squid </a>running as a <a
-Proxy</b></u>. If you are running Shorewall 1.3, please see <a
+ href="#Transparent">Transparent
- href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
+Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
 <br>
 If you are running Shorewall 1.3, please see <a
 href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
 <h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
 </h1>
 <img border="0" src="images/j0213519.gif" width="60" height="60"
 alt="Caution" align="middle"> &nbsp;&nbsp;&nbsp; Please observe the
 following general requirements:<br>
@ -71,7 +78,7 @@ running on the Firewall.</a></li>
 local network</a></li>
  <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
 </ol>
-<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
+<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
 You want to redirect all local www connection requests
 EXCEPT those to your own http server (206.124.146.177) to a Squid
 transparent proxy running on the firewall
@ -123,15 +130,49 @@ DEST</b></td>
 There may be a requirement to exclude additional destination
 hosts or networks from being redirected. For example, you might also
 want
-requests destined for 130.252.100.0/24 to not be routed to Squid. In
+requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
-that
+<br>
-case, you must add a manual rule in /etc/shorewall/start:<br>
+If you are running Shorewall version 1.4.5 or later, you may just add
 the additional hosts/networks to the ORIGINAL DEST column in your
 REDIRECT rule:<br>
 <br>
 <div style="margin-left: 40px;">
 <table border="1" cellpadding="2" style="border-collapse: collapse;">
  <tbody>
    <tr>
      <td><b>ACTION</b></td>
      <td><b>SOURCE</b></td>
      <td><b>DEST</b></td>
      <td><b> PROTO</b></td>
      <td><b>DEST<br>
 PORT(S)</b></td>
      <td><b>SOURCE<br>
 PORT(S)</b></td>
      <td><b>ORIGINAL<br>
 DEST</b></td>
    </tr>
    <tr>
      <td>REDIRECT</td>
      <td>loc</td>
      <td>3128</td>
      <td>tcp</td>
      <td>www</td>
      <td> -<br>
      </td>
      <td>!206.124.146.177,130.252.100.0/24</td>
    </tr>
  </tbody>
 </table>
 </div>
 <br>
 If you are running a Shorewall version earlier than 1.4.5, you must add
 a manual rule in /etc/shorewall/start:<br>
 <blockquote>
  <pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
 </blockquote>
 &nbsp;To exclude additional hosts or networks, just add additional
 similar rules.<br>
-<h2><a name="Local"></a>Squid Running in the local network</h2>
+<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
 You want to redirect all local www connection requests to a Squid
 transparent proxy running in your local zone at 192.168.1.3 and
 listening
@ -273,7 +314,8 @@ command above:<br>
 color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
 </blockquote>
 <blockquote> </blockquote>
-<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
+<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
 what I do)</h2>
 You have a single Linux system in your DMZ with IP address 192.0.2.177.
 You want to run both a web server and Squid on that system. Your DMZ
 interface is eth1 and your local interface is eth2.<br>
@ -455,7 +497,133 @@ command above:<br>
 color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
 </blockquote>
 <blockquote> </blockquote>
-<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
+<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
 Assume that Squid is running in zone SZ and listening on port SP; all
 web sites that are to be accessed through Squid are in the 'net' zone.
 Then for each zone Z that needs access to the Squid server:<br>
 <br>
 <div style="margin-left: 40px;">
 <table cellpadding="2" border="1" cellspacing="0">
  <tbody>
    <tr>
      <td valign="top">ACTION<br>
      </td>
      <td valign="top">SOURCE<br>
      </td>
      <td valign="top">DEST<br>
      </td>
      <td valign="top">PROTO<br>
      </td>
      <td valign="top">DEST<br>
 PORT(S)<br>
      </td>
      <td valign="top">CLIENT<br>
 PORT(2)<br>
      </td>
      <td valign="top">ORIGINAL<br>
 DEST<br>
      </td>
    </tr>
    <tr>
      <td valign="top">ACCEPT<br>
      </td>
      <td valign="top">Z<br>
      </td>
      <td valign="top">SZ<br>
      </td>
      <td valign="top">tcp<br>
      </td>
      <td valign="top">SP<br>
      </td>
      <td valign="top"><br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td valign="top">ACCEPT<br>
      </td>
      <td valign="top">SZ<br>
      </td>
      <td valign="top">net<br>
      </td>
      <td valign="top">tcp<br>
      </td>
      <td valign="top">80<br>
      </td>
      <td valign="top"><br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
  </tbody>
 </table>
 </div>
 <br>
 Example:<br>
 <br>
 <div style="margin-left: 40px;">Squid on the firewall listening on port
 8080 with access from the 'loc' zone:<br>
 <br>
 <table cellpadding="2" border="1" cellspacing="0">
  <tbody>
    <tr>
      <td valign="top">ACTION<br>
      </td>
      <td valign="top">SOURCE<br>
      </td>
      <td valign="top">DEST<br>
      </td>
      <td valign="top">PROTO<br>
      </td>
      <td valign="top">DEST<br>
 PORT(S)<br>
      </td>
      <td valign="top">CLIENT<br>
 PORT(2)<br>
      </td>
      <td valign="top">ORIGINAL<br>
 DEST<br>
      </td>
    </tr>
    <tr>
      <td valign="top">ACCEPT<br>
      </td>
      <td valign="top">loc<br>
      </td>
      <td valign="top">$FW<br>
      </td>
      <td valign="top">tcp<br>
      </td>
      <td valign="top">8080<br>
      </td>
      <td valign="top"><br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
    <tr>
      <td valign="top">ACCEPT<br>
      </td>
      <td valign="top">$FW<br>
      </td>
      <td valign="top">net<br>
      </td>
      <td valign="top">tcp<br>
      </td>
      <td valign="top">80<br>
      </td>
      <td valign="top"><br>
      </td>
      <td valign="top"><br>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 </div>
 <p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
 Eastep</a>
 </font></p>
 <a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
+++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
@ -2,89 +2,83 @@
 <html>
 <head>
  <title>Shorewall and Aliased Interfaces</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-  <body>
+<body>
-            
+<h1 style="text-align: center;">Shorewall and Aliased Interfaces<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
                             <tbody>
                              <tr>
                               <td width="100%">                        
      <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
                               </td>
                             </tr>
  </tbody>      
 </table>
          <br>
 <h2>Background</h2>
-          The traditional net-tools contain a program called <i>ifconfig</i>
+The traditional net-tools contain a program called <i>ifconfig</i>
-  which    is used to configure network devices. ifconfig introduced the
+which is used to configure network devices. ifconfig introduced the
-concept   of   <i>aliased </i>or <i>virtual </i>interfaces. These virtual
+concept of <i>aliased </i>or <i>virtual </i>interfaces. These
 virtual
 interfaces have names of the form <i>interface</i>:<i>integer </i>(e.g.,
 eth0:0) and ifconfig treats them more or less like real interfaces.<br>
-          <br>
+<br>
-          Example:<br>
+Example:<br>
 <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55<br>          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0<br>          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1<br>          Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
-         The ifconfig utility is being gradually phased out in favor of the 
+The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
- <i>ip</i>    utility which is part of the <i>iproute </i>package. The ip 
+utility which is part of the <i>iproute </i>package. The ip utility
-utility does   not use the concept of aliases or virtual interfaces but rather 
+does not use the concept of aliases or virtual interfaces but rather
-treats additional    addresses on an interface as objects in their own right.
+treats additional addresses on an interface as objects in their own
-The ip utility does provide for interaction   with ifconfig in that it allows
+right.
-addresses to be <i>labeled </i>where these labels take the form of ipconfig
+The ip utility does provide for interaction with ifconfig in that it
 allows
 addresses to be <i>labeled </i>where these labels take the form of
 ipconfig
 virtual interfaces.<br>
-          <br>
+<br>
-          Example:<br>
+Example:<br>
-          <br>
+<br>
 <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br>    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br>    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br>    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
-          Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
+Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
-  "eth0:0"  is a label for a particular address rather than a device name.<br>
+"eth0:0" is a label for a particular address rather than a device name.<br>
 <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
-          The iptables program doesn't support virtual interfaces in either 
+The iptables program doesn't support virtual interfaces in either it's
- it's   "-i"  or "-o" command options; as a consequence, Shorewall does not 
+"-i" or "-o" command options; as a consequence, Shorewall does not
- allow   them to be used in the /etc/shorewall/interfaces file or anywhere
+allow them to be used in the /etc/shorewall/interfaces file or anywhere
 else except as described in the discussion below. <br>
 <br>
 <h2>Adding Addresses to Interfaces</h2>
-Shorewall provides facilities for automatically adding addresses to interfaces
+Most distributions have a facility for adding additional addresses to
-as described in the following section. It is also easy to add them yourself
+interfaces. If you have already used your distribution's capability to
 add your required addresses, you can skip this section. <br>
 <br>
 Shorewall provides facilities for automatically adding addresses to
 interfaces
 as described in the following section. It is also easy to add them
 yourself
 using the <b>ip</b> utility. The above alias was added using:<br>
-<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd 206.124.146.255
+<blockquote><b><font color="#009900">ip addr add 206.124.146.178/24 brd
 206.124.146.255
 dev eth0 label eth0:0</font></b><br>
 </blockquote>
-You probably want to arrange to add these addresses when the device is started
+You probably want to arrange to add these addresses when the device is
-rather than placing commands like the above in one of the Shorewall extension
+started
-scripts. For example, on RedHat systems, you can place the commands in /sbin/ifup-local:<br>
+rather than placing commands like the above in one of the Shorewall
 extension
 scripts. For example, on RedHat systems, you can place the commands in
 /sbin/ifup-local:<br>
 <br>
 <blockquote>
  <pre>#!/bin/sh<br><br>case $1 in<br>    eth0)<br>	/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0<br>	;;<br>esac&nbsp;<br></pre>
 </blockquote>
-RedHat systems also allow adding such aliases from the network administration
+RedHat systems also allow adding such aliases from the network
-GUI (which works well if you have a graphical environment on your firewall).<br>
+administration
 GUI (which only works well if you have a graphical environment on your
 firewall).<br>
 <h2>So how do I handle more than one address on an interface?</h2>
-          The answer depends on what you are trying to do with the interfaces.
+The answer depends on what you are trying to do with the interfaces. In
-   In the sub-sections   that follow, we'll take a look at common scenarios.<br>
+the sub-sections that follow, we'll take a look at common scenarios.<br>
 <h3>Separate Rules</h3>
-         If you need to make a rule for traffic to/from the firewall itself 
+If you need to make a rule for traffic to/from the firewall itself that
- that  only  applies to a particular IP address, simply qualify the $FW zone 
+only applies to a particular IP address, simply qualify the $FW zone
- with  the IP  address.<br>
+with the IP address.<br>
-         <br>
+<br>
-         Example (allow SSH from net to eth0:0 above):<br>
+Example (allow SSH from net to eth0:0 above):<br>
-         <br>
+<br>
 <blockquote>
  <table cellpadding="2" border="1" cellspacing="0">
    <tbody>
@ -120,19 +114,16 @@ GUI (which works well if you have a graphical environment on your firewall).<br>
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-         </blockquote>
+</blockquote>
 <h3>DNAT</h3>
-          Suppose that I had set up eth0:0 as above and I wanted to port
+Suppose that I had set up eth0:0 as above and I wanted to port
 forward from that virtual interface to a web server running in my local
-zone at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewall/rules
+zone at 192.168.1.3. That is accomplised by a single rule in the
-   file:<br>
+/etc/shorewall/rules file:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" border="1" cellspacing="0">
    <tbody>
@ -168,17 +159,14 @@ zone at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewa
        <td valign="top">206.124.146.178<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
 <h3>SNAT</h3>
-          If you wanted to use eth0:0 as the IP address for outbound connections
+If you wanted to use eth0:0 as the IP address for outbound connections
-    from  your local zone (eth1), then in /etc/shorewall/masq:<br>
+from your local zone (eth1), then in /etc/shorewall/masq:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -198,18 +186,19 @@ zone at   192.168.1.3.  That is accomplised by a single rule in the /etc/shorewa
        <td valign="top">206.124.146.178<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          Shorewall can create the alias (additional address) for you if
+Shorewall can create the alias (additional address) for you if
-you   set   ADD_SNAT_ALIASES=Yes  in /etc/shorewall/shorewall.conf. Beginning
+you set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
-with  Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
+Beginning
 with Shorewall 1.3.14, Shorewall can actually create the "label"
 (virtual
 interface) so that you can see the created address using ifconfig. In
-addition to  setting   ADD_SNAT_ALIASES=Yes,  you specify the virtual interface
+addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual
 interface
 name in the INTERFACE column as follows:<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -229,17 +218,15 @@ name in  the INTERFACE   column as follows:<br>
        <td valign="top">206.124.146.178<br>
        </td>
      </tr>
    </tbody>
  </table>
-             </blockquote>
+</blockquote>
-   Shorewall can also set up SNAT to round-robin over a range of IP addresses. 
+Shorewall can also set up SNAT to round-robin over a range of IP
- Do do that, you specify a range of IP addresses in the ADDRESS column. If 
+addresses. Do do that, you specify a range of IP addresses in the
- you specify a label in the INTERFACE column, Shorewall will use that label 
+ADDRESS column. If you specify a label in the INTERFACE column,
- for the first address of the range and will increment the label by one for 
+Shorewall will use that label for the first address of the range and
- each subsequent label.<br>
+will increment the label by one for each subsequent label.<br>
-   <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -259,21 +246,18 @@ name in  the INTERFACE   column as follows:<br>
        <td valign="top">206.124.146.178-206.124.146.180<br>
        </td>
      </tr>
    </tbody>
  </table>
-             </blockquote>
+</blockquote>
-   The above would create three IP addresses:<br>
+The above would create three IP addresses:<br>
-   <br>
+<br>
-   &nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
+&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
-   &nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
+&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
-   &nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
+&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
-                    
+<h3>One-to-one NAT</h3>
-<h3>STATIC NAT</h3>
+If you wanted to use one-to-one NAT to link eth0:0 with local address
-          If you wanted to use static NAT to link eth0:0 with local address 
+192.168.1.3, you would have the following in /etc/shorewall/nat:<br>
- 192.168.1.3,    you would have the following in /etc/shorewall/nat:<br>
+<br>
          <br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -301,19 +285,19 @@ name in  the INTERFACE   column as follows:<br>
        <td valign="top">no<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          Shorewall can create the alias (additional address) for you if
+Shorewall can create the alias (additional address) for you if
 you set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
-with   Shorewall   1.3.14, Shorewall  can actually create the "label" (virtual
+with Shorewall 1.3.14, Shorewall can actually create the "label"
 (virtual
 interface) so that you can see the created address using ifconfig. In
-addition to  setting   ADD_IP_ALIASES=Yes,  you specify the virtual interface
+addition to setting ADD_IP_ALIASES=Yes, you specify the virtual
 interface
 name in the INTERFACE column as follows:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -341,18 +325,16 @@ name in the INTERFACE   column as follows:<br>
        <td valign="top">no<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-         </blockquote>
+</blockquote>
-         In either case, to create rules that pertain only to this NAT pair,
+In either case, to create rules that pertain only to this NAT pair, you
-  you   simply qualify the local zone with the internal IP address.<br>
+simply qualify the local zone with the internal IP address.<br>
-         <br>
+<br>
-         Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
+Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
-   192.168.1.3.<br>
+192.168.1.3.<br>
-         <br>
+<br>
 <blockquote>
  <table cellpadding="2" border="1" cellspacing="0">
    <tbody>
@ -388,29 +370,26 @@ name in the INTERFACE   column as follows:<br>
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-         </blockquote>
+</blockquote>
 <h3>MULTIPLE SUBNETS</h3>
-          Sometimes multiple IP addresses are used because there are multiple 
+Sometimes multiple IP addresses are used because there are multiple
-  subnetworks   configured on a LAN segment. This technique does not provide 
+subnetworks configured on a LAN segment. This technique does not
-  for any security   between the subnetworks if the users of the systems have
+provide for any security between the subnetworks if the users of the
-  administrative privileges  because in that case, the users can simply manipulate
+systems have administrative privileges because in that case, the users
-  their system's routing  table to bypass your firewall/router. Nevertheless,
+can simply manipulate their system's routing table to bypass your
-  there are cases where  you simply want to consider the LAN segment itself
+firewall/router. Nevertheless, there are cases where you simply want to
-  as a zone and allow your  firewall/router to route between the two subnetworks.<br>
+consider the LAN segment itself as a zone and allow your
-          <br>
+firewall/router to route between the two subnetworks.<br>
-          Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
+<br>
-  and   192.168.20.0/24.  The primary IP address of eth1 is 192.168.1.254
+Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
-and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
+192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
-  the two   subnetworks.<br>
+and eth1:0 is 192.168.20.254. You want to simply route all requests
-            
+between the two subnetworks.<br>
 <h4>If you are running Shorewall 1.4.1 or Later</h4>
-      In /etc/shorewall/interfaces:<br>
+In /etc/shorewall/interfaces:<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -434,13 +413,11 @@ and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-      </blockquote>
+</blockquote>
-          In /etc/shorewall/hosts:<br>
+In /etc/shorewall/hosts:<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -468,19 +445,17 @@ and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-      </blockquote>
+</blockquote>
-      Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
+Note that you do NOT need any entry in /etc/shorewall/policy as
-   1.4.1 and later releases default to allowing intra-zone traffic.<br>
+Shorewall 1.4.1 and later releases default to allowing intra-zone
-           
+traffic.<br>
 <h4>If you are running Shorewall 1.4.0 or earlier<br>
-      </h4>
+</h4>
-      In /etc/shorewall/interfaces:<br>
+In /etc/shorewall/interfaces:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -504,17 +479,15 @@ and  eth1:0   is 192.168.20.254.  You want to simply route all requests between
        <td valign="top">Note 1:<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
+Note 1: If you are running Shorewall 1.3.10 or earlier then you must
-must   specify   the <b>multi</b> option.<br>
+specify the <b>multi</b> option.<br>
-          <br>
+<br>
-          In /etc/shorewall/policy:<br>
+In /etc/shorewall/policy:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -542,20 +515,19 @@ must   specify   the <b>multi</b> option.<br>
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
+Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
- 192.168.20.0/24.     The primary IP address of eth1 is 192.168.1.254 and
+192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
-eth1:0 is 192.168.20.254.     You want to make these subnetworks into separate
+eth1:0 is 192.168.20.254. You want to make these subnetworks into
 separate
 zones and control the access between them (the users of the systems do
 not have administrative privileges).<br>
-          <br>
+<br>
-          In /etc/shorewall/zones:<br>
+In /etc/shorewall/zones:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -583,14 +555,12 @@ not have administrative  privileges).<br>
        <td valign="top">Local Zone 2<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          In /etc/shorewall/interfaces:<br>
+In /etc/shorewall/interfaces:<br>
-          <br>
+<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -614,16 +584,14 @@ not have administrative  privileges).<br>
        <td valign="top">Note 1:<br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          Note 1: If you are running Shorewall 1.3.10 or earlier then you 
+Note 1: If you are running Shorewall 1.3.10 or earlier then you must
-must   specify   the <b>multi</b> option.<br>
+specify the <b>multi</b> option.<br>
-          <br>
+<br>
-          In /etc/shorewall/hosts:<br>
+In /etc/shorewall/hosts:<br>
 <blockquote>
  <table cellpadding="2" cellspacing="0" border="1">
    <tbody>
@ -651,21 +619,18 @@ must   specify   the <b>multi</b> option.<br>
        <td valign="top"><br>
        </td>
      </tr>
    </tbody>
  </table>
  <br>
-          </blockquote>
+</blockquote>
-          In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
+In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
-   that   you want to permit.<br>
+that you want to permit.<br>
-          <br>
+<br>
-            
+<p align="left"><font size="2">Last Updated 11/13/2003 A - <a
 <p align="left"><font size="2">Last Updated 7/29/2003 A - <a
 href="support.htm">Tom Eastep</a></font></p>
-            
+<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
-<p><a href="copyright.htm"><font size="2">Copyright</font>         &copy;
+ size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-     <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
+</p>
- </p>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_and_Kazaa.html
+++ b/Shorewall-docs/Shorewall_and_Kazaa.html
@ -0,0 +1,32 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <title>Shorewall and Kazaa</title>
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <h1 style="text-align: center;">Kazaa Filtering</h1>
 <br>
 Beginning with Shorewall version 1.4.8, Shorewall can interface to <span
 style="font-weight: bold;">ftwall</span>. ftwall is part of the
 p2pwall project and is a user-space filter for applications based on
 the "Fast Track" peer to peer protocol. Applications using this
 protocol include Kazaa, KazaaLite, iMash and Grokster.<br>
 <br>
 To filter traffic from your 'loc' zone with ftwall, you insert the
 following rules <span style="text-decoration: underline;"><span
 style="font-weight: bold;">near the top</span></span> of your
 /etc/shorewall/rules file (before and ACCEPT rules whose source is the
 'loc' zone).<br>
 <pre style="margin-left: 40px;">QUEUE   loc	     net	tcp<br>QUEUE   loc	     net	udp<br>QUEUE   loc	     fw		udp<br></pre>
 Now simply configure ftwall as described in the ftwall documentation
 and restart Shorewall.<br>
 <p align="left"><font size="2">Last updated 10/22/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 &copy; <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_index_frame.htm
+++ b/Shorewall-docs/Shorewall_index_frame.htm
@ -1,138 +1,66 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
  <base target="main">
  <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
+<body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
-                                                              <td
+      <td width="100%" bgcolor="#ffffff">
 width="100%" height="90" align="center">                     
      <div align="center">                                               
                  </div>
         <a href="http://www.shorewall.net" target="_top"><img
 border="0" src="images/ProtectedBy.png" width="200" height="42"
 hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
                 </a><br>
                                                             <br>
         </td>
                                                            </tr>
                                                            <tr>
                                                              <td
 width="100%" bgcolor="#ffffff">                                         
      <ul>
-                                                                <li> <a
+        <li> <a href="seattlefirewall_index.htm">Home</a></li>
- href="seattlefirewall_index.htm">Home</a></li>
+        <li> <a href="shorewall_features.htm">Features</a></li>
                                                                        <li>
            <a href="shorewall_features.htm">Features</a></li>
        <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
        </li>
-                                                                <li> <a
+        <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
- href="shorewall_prerequisites.htm">Requirements</a></li>
+        <li> <a href="download.htm">Download</a><br>
                                                                <li> <a
 href="download.htm">Download</a><br>
        </li>
-                                                        <li> <a
+        <li> <a href="Install.htm">Installation/Upgrade/</a><br>
- href="Install.htm">Installation/Upgrade/</a><br>
+          <a href="Install.htm">Configuration</a><br>
                                                          <a
 href="Install.htm">Configuration</a><br>
        </li>
-                                                        <li> <a
+        <li> <a href="shorewall_quickstart_guide.htm">QuickStart
- href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
+Guides (HOWTOs)</a><br>
        </li>
-                                                                        
+        <li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
               <li>             <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
        <li> <a href="FAQ.htm">FAQs</a></li>
-                                                                 <li><a
+        <li><a href="useful_links.html">Useful Links</a><br>
 href="useful_links.html">Useful     Links</a><br>
        </li>
-                                                                <li> <a
+        <li> <a href="troubleshoot.htm">Things to try if it doesn't
- href="troubleshoot.htm">Things to try if it doesn't work</a></li>
+work</a></li>
-                                                                <li> <a
+        <li> <a href="errata.htm">Errata</a></li>
- href="errata.htm">Errata</a></li>
+        <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
-                                                                <li> <a
+        <li> <a href="support.htm">Getting help or Answers to Questions</a></li>
- href="upgrade_issues.htm">Upgrade     Issues</a></li>
+        <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
-                                                                <li> <a
+ href="http://lists.shorewall.net"> </a><br>
 href="support.htm">Getting   help or Answers to Questions</a></li>
                           <li><a href="http://lists.shorewall.net">Mailing 
 Lists</a><a href="http://lists.shorewall.net"> </a><br>
        </li>
        <li><a href="shorewall_mirrors.htm">Mirrors</a>
          <ul>
          </ul>
        </li>
        <li> <a href="News.htm">News Archive</a></li>
-                                                                <li> <a
+        <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
- href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
+        <li> <a href="quotes.htm">Quotes from Users</a></li>
                                                                <li> <a
 href="quotes.htm">Quotes     from   Users</a></li>
        <ul>
        </ul>
-                                                                <li> <a
+        <li> <a href="shoreline.htm">About the Author</a></li>
- href="shoreline.htm">About    the   Author</a></li>
+        <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
                                                                <li> <a
 href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
      </td>
    </tr>
  </tbody>
 </table>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
-  </p>
+</p>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/Shorewall_sfindex_frame.htm
+++ b/Shorewall-docs/Shorewall_sfindex_frame.htm
@ -1,120 +1,68 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Index</title>
-                                                                        
+  <base target="main">
                                                                     <base
 target="main">                                                       
  <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
+<body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
-                                                          <td
+      <td width="100%" bgcolor="#ffffff">
 width="100%" height="90">                                               
      <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
                                                          </td>
                                                        </tr>
                                                        <tr>
                                                          <td
 width="100%" bgcolor="#ffffff">                                         
      <ul>
-                                                            <li> <a
+        <li> <a href="seattlefirewall_index.htm">Home</a></li>
- href="seattlefirewall_index.htm">Home</a></li>
+        <li> <a href="shorewall_features.htm">Features</a></li>
                                                                    <li>
          <a href="shorewall_features.htm">Features</a></li>
        <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
        </li>
-                                                            <li> <a
+        <li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
- href="shorewall_prerequisites.htm">Requirements</a></li>
+        <li> <a href="download.htm">Download</a><br>
                                                            <li> <a
 href="download.htm">Download</a><br>
        </li>
-                                                    <li> <a
+        <li> <a href="Install.htm">Installation/Upgrade/</a><br>
- href="Install.htm">Installation/Upgrade/</a><br>
+          <a href="Install.htm">Configuration</a><br>
                                                      <a
 href="Install.htm">Configuration</a><br>
        </li>
-                                                    <li> <a
+        <li> <a href="shorewall_quickstart_guide.htm">QuickStart
- href="shorewall_quickstart_guide.htm">QuickStart       Guides   (HOWTOs)</a><br>
+Guides (HOWTOs)</a><br>
        </li>
-                                                                        
+        <li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
           <li>             <b><a
 href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
        <li> <a href="FAQ.htm">FAQs</a></li>
-                                                             <li><a
+        <li><a href="useful_links.html">Useful Links</a><br>
 href="useful_links.html">Useful     Links</a><br>
        </li>
-                                                            <li> <a
+        <li> <a href="troubleshoot.htm">Things to try if it doesn't
- href="troubleshoot.htm">Things to try if it doesn't work</a></li>
+work</a></li>
-                                                            <li> <a
+        <li> <a href="errata.htm">Errata</a></li>
- href="errata.htm">Errata</a></li>
+        <li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
-                                                            <li> <a
+        <li> <a href="support.htm">Getting help or Answers to Questions</a></li>
- href="upgrade_issues.htm">Upgrade     Issues</a></li>
+        <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
-                                                            <li> <a
+ href="http://lists.shorewall.net"> </a><br>
 href="support.htm">Getting   help or Answers to Questions</a>           
        </li>
-                                                 <li><a
+        <li><a href="shorewall_mirrors.htm">Mirrors</a>
 href="http://lists.shorewall.net">Mailing Lists</a></li>
                                                <li><a
 href="shorewall_mirrors.htm">Mirrors</a></li>
                                                                <li><a
 href="News.htm">News    Archive</a></li>
                                                            <li> <a
 href="Shorewall_CVS_Access.html">CVS   Repository</a></li>
          <ul>
          </ul>
-                                                            <li> <a
+        </li>
- href="quotes.htm">Quotes     from   Users</a></li>
+        <li> <a href="News.htm">News Archive</a></li>
-                                                            <li> <a
+        <li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
- href="shoreline.htm">About    the   Author</a></li>
+        <li> <a href="quotes.htm">Quotes from Users</a></li>
-                                                            <li> <a
+        <ul>
- href="seattlefirewall_index.htm#Donations">Donations</a></li>
+        </ul>
-                                                                        
+        <li> <a href="shoreline.htm">About the Author</a></li>
-                                                                        
+        <li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
      </ul>
      </td>
    </tr>
  </tbody>
 </table>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001-2003 Thomas M. Eastep.</font></a><br>
- </p>
+</p>
- <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/SourceforgeBanner.html
+++ b/Shorewall-docs/SourceforgeBanner.html
@ -0,0 +1,45 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <title>Banner</title>
  <meta name="author" content="Tom Eastep">
  <base target="main">
 </head>
 <body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
 link="#000099" vlink="#990099" alink="#000099">
 <table cellpadding="0"
 style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
 id="AutoNumber3">
  <tbody>
    <tr>
      <td style="text-align: center; width: 34%; vertical-align: top;">
      <div align="center"> <img src="images/Logo1.png"
 alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
 align="middle" title=""> </div>
      </td>
      <td style="vertical-align: top;">
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch"
 style="background-color: rgb(51, 102, 255);"> <strong><font
 color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
 is unavailable Daily 0200-0330 GMT.</font><br>
        <strong></strong>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
        <font face="Arial" size="-1"> <input type="text" name="words"
 size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
 type="hidden" name="format" value="long"> <input type="hidden"
 name="method" value="and"> <input type="hidden" name="config"
 value="htdig"> <input type="submit" value="Search"><b><font
 color="#ffffff">&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <a
 href="http://lists.shorewall.net/htdig/search.html"
 style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
        <font face="Arial"> <input type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
      </td>
    </tr>
  </tbody>
 </table>
 </body>
 </html>
--- a/Shorewall-docs/UserSets.html
+++ b/Shorewall-docs/UserSets.html
@ -0,0 +1,141 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Controlling Traffic by UID/GID</title>
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Controlling Output
 Traffic by UID/GID<br>
      </font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 This capability was added in Shorewall release
 1.4.7.<br>
 <br>
 Netfilter provides the capability to filter packets generated on the
 firewall system by User Id and/or Group Id. Shorewall provides two
 separate but related ways to use this Netfilter capability:<br>
 <ol>
  <li>Shorewall allows you to
 define collections of users called "<a href="#UserSet">User Sets</a>"
 and then to restrict
 certain rules in /etc/shorewall/rules to a given User Set.</li>
  <li>Shorewall also allows you to restrict a given <a href="#Rule">rule
    </a>to a particular user and/or group.<br>
  </li>
 </ol>
 Since only packets created by programs running on the Shorewall box
 itself, only rules whose SOURCE is the firewall ($FW) may be restricted
 using either of the facilities.<br>
 <h2><a name="UserSet"></a>User Sets<br>
 </h2>
 Given the way that this facility is implemented in Shorewall, it is not
 possible to control logging of individual rules using a User Set and
 logging is rather specified on the User Set itself.<br>
 <br>
 User Sets are defined in the /etc/shorewall/usersets file. Columns in
 that file include:<br>
 <br>
 <div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; The name of a User Set. Must be a legal
 shell
 identifier of no more than six (6) characters in length.<br>
 REJECT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
 Log level for connections rejected for this User Set.<br>
 ACCEPT&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp; Log
 level for connections accepted for this User Set.<br>
 DROP &nbsp;&nbsp; &nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
 &nbsp;&nbsp; Log level for connections dropped for this User Set.<br>
 </div>
 <br>
 In the REJECT and ACCEPT columns, if you don't want to specify a value
 in the column but you want to specify a value in a following column,
 you may enter "-".<br>
 <br>
 Users and/or groups are added to User Sets using the
 /etc/shorewall/users file. Columns in that file are:<br>
 <br>
 <div style="margin-left: 40px;">USERSET&nbsp;&nbsp; &nbsp;&nbsp;
 &nbsp;&nbsp; &nbsp;&nbsp; The name of a User Set defined in
 /etc/shorewall/usersets.<br>
 USER&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
 &nbsp;&nbsp; The name of a user defined on the system or a user number.<br>
 GROUP&nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp; &nbsp;&nbsp;
 The name of a group defined on the system or a number.<br>
 </div>
 <p align="left">Only one of the USER and GROUP
 column needs to be non-empty. If you wish to specify a GROUP but not a
 USER, enter "-" in the user column.<br>
 </p>
 <p align="left">If both USER and GROUP are
 specified then only programs running under that USER:GROUP pair will
 match rules specifying the User Set named in the USERSET column.<br>
 </p>
 <p align="left">Once a user set has been defined, its name may be
 placed in the USER SET column of the /etc/shorewall/rules file. <span
 style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
 </span></span>When
 the name of a user set is given in the USER SET column, you may not
 include a log level in the ACTION column; logging of such rules is
 governed solely by the user set's definition in the
 /etc/shorewall/userset file.
 </p>
 <p align="left">Example: You want members of the
 'admin' group and 'root' to be able to use ssh on the firewall to
 connect to local systems. You want to log all connections accepted for
 these users using syslog at the 'info' level.<br>
 </p>
 <div style="margin-left: 40px;"></div>
 <p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
 <div style="margin-left: 40px;"></div>
 <pre style="margin-left: 80px;">#USERSET	REJECT	ACCEPT	DROP<br>admins		-	info<br></pre>
 <div style="margin-left: 40px;"></div>
 <p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
 </p>
 <div style="margin-left: 40px;"></div>
 <pre style="margin-left: 80px;">#USERSET	USER		GROUP<br>admins		-		admin<br>admins		root<br></pre>
 <div style="margin-left: 40px;">/etc/shorewall/rules<br>
 </div>
 <pre style="margin-left: 80px;">#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER<br>#						PORT(S)	DESTINATION		SET<br><br>ACCEPT	$FW	loc		tcp	22	-	-		-	admins<br></pre>
 <h2><a name="Rule"></a>Restricting a rule to a particular user and/or
 group<br>
 </h2>
 In cases where you may want to restrict a rule to a particular user
 and/or group, the USER SET column in the rules file may be specified as:<br>
 <br>
 <div style="margin-left: 40px;">[ &lt;<span style="font-style: italic;">user
 name or number</span>&gt; ] : [ &lt;<span style="font-style: italic;">group
 name or number</span>&gt; ]<br>
 <div style="text-align: left;"><br>
 </div>
 </div>
 When a user and/or group name is given in the USER SET column, it is OK
 to specify a log level in the ACTION column. <br>
 <br>
 Example: You want user <span style="font-style: italic;">mail </span>to
 be able to send email from the firewall to the local net zone<br>
 <br>
 <div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
 the ":" in the USER SET column entry).<br>
 <pre>#ACTION	SOURCE	DESTINATION	PROTO	PORT	SOURCE	ORIGINAL	RATE	USER<br>#						PORT(S)	DESTINATION		SET<br><br>ACCEPT	$FW	loc		tcp	25	-	-		-	mail:</pre>
 </div>
 <p align="left"><font size="2">Last updated 9/19/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
 </body>
 </html>
--- a/Shorewall-docs/VPN.htm
+++ b/Shorewall-docs/VPN.htm
@ -1,55 +1,36 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>VPN</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">VPN<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p>It is often the case that a system behind the firewall needs to be
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+able to access a remote network through Virtual Private Networking
-    <tbody>
+(VPN). The two most common means for doing this are IPSEC and PPTP. The
-     <tr>
+basic setup is shown in the following diagram:</p>
      <td width="100%">       
      <h1 align="center"><font color="#ffffff">VPN</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <p>It is often the case that a system behind the firewall needs to be able 
 to  access a remote network through Virtual Private Networking (VPN). The 
 two most  common means for doing this are IPSEC and PPTP. The basic setup 
 is shown in the  following diagram:</p>
 <p align="center"><img border="0" src="images/VPN.png" width="568"
- height="796">
+ height="796"> </p>
- </p>
+<p align="left">A system with an RFC 1918 address needs to access a
-  
+remote network through a remote gateway. For this example, we will
-<p align="left">A system with an RFC 1918 address needs to access a remote 
+assume that the local system has IP address 192.168.1.12 and that the
- network through a remote gateway. For this example, we will assume that the
+remote gateway has
 local system has IP address 192.168.1.12 and that the remote gateway has
 IP address 192.0.2.224.</p>
-  
+<p align="left">If PPTP is being used, there are no firewall
-<p align="left">If PPTP is being used, there are no firewall requirements 
+requirements beyond the default loc-&gt;net ACCEPT policy. There is one
-beyond  the default loc-&gt;net ACCEPT policy. There is one restriction however: 
+restriction however: Only one local system at a time can be connected
-Only one  local system at a time can be connected to a single remote gateway 
+to a single remote gateway unless you patch your kernel from the
-unless you  patch your kernel from the 'Patch-o-matic' patches available at
+'Patch-o-matic' patches available at
 <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
-  
+<p align="left">If IPSEC is being used then only one system may connect
-<p align="left">If IPSEC is being used then only one system may connect to 
+to the remote gateway and there are firewall configuration requirements
-the remote gateway and there are firewall configuration  requirements as follows:</p>
+as follows:</p>
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 bordercolor="#111111" id="AutoNumber2" height="98">
@ -61,18 +42,18 @@ the remote gateway and there are firewall configuration  requirements as follows
        <td height="38"><u><b>PROTOCOL</b></u></td>
        <td height="38"><u><b>PORT</b></u></td>
        <td height="38"><u><b>CLIENT<br>
-        PORT</b></u></td>
+PORT</b></u></td>
        <td height="38"><u><b>ORIGINAL<br>
-        DEST</b></u></td>
+DEST</b></u></td>
      </tr>
      <tr>
        <td height="19">DNAT</td>
        <td height="19">net:192.0.2.224</td>
        <td height="19">loc:192.168.1.12</td>
        <td height="19">50</td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
      </tr>
      <tr>
        <td height="19">DNAT</td>
@ -80,27 +61,24 @@ the remote gateway and there are firewall configuration  requirements as follows
        <td height="19">loc:192.168.1.12</td>
        <td height="19">udp</td>
        <td height="19">500</td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
-        <td height="19"> </td>
+        <td height="19">&nbsp;</td>
      </tr>
    </tbody>
  </table>
-  </blockquote>
+</blockquote>
-  
+<p>If you want to be able to give access to all of your local systems
-<p>If you want to be able to give access to all of your local systems to the
+to the remote network, you should consider running a VPN client on your
- remote network, you should consider running a VPN client on your firewall. 
+firewall. As starting points, see <a
-As  starting points, see <a
+ href="Documentation.htm#Tunnels">
- href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a> 
+http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
-or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
+ href="PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
-  
+<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
-<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
+Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
- 
+<p>&nbsp;</p>
-<p> </p>
+<br>
-   <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/blacklisting_support.htm
+++ b/Shorewall-docs/blacklisting_support.htm
@ -1,102 +1,91 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Blacklisting Support</title>
 </head>
-  <body>
+<body>
-    
+<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p>Shorewall supports two different forms of blacklisting; static and
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
-       <tbody>
+option in /etc/shorewall/shorewall.conf controls the degree of
-        <tr>
+blacklist filtering:<br>
-         <td width="100%">              
+</p>
-      <h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
+<ol>
-         </td>
+  <li>BLACKLISTNEWONLY=No --&nbsp; All incoming packets are checked
-       </tr>
+against the blacklist. New blacklist entries can be used to terminate
-        
+existing connections. Versions of Shorewall prior to 1.4.8 behave in
-  </tbody>  
+this manner.<br>
-</table>
+  </li>
-    
+  <li>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
-<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
+connection requests. Blacklists may not be used to terminate existing
-    
+connections.</li>
 </ol>
 Only the source address is checked against the blacklists.<br>
 <h2>Static Blacklisting</h2>
-    
+<p>Shorewall static blacklisting support has the following
-<p>Shorewall static blacklisting support has the following configuration
+configuration
 parameters:</p>
 <ul>
-       <li>You specify whether you want packets from blacklisted hosts dropped
+  <li>You specify whether you want packets from blacklisted hosts
-  or     rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
+dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
-      setting in /etc/shorewall/shorewall.conf</li>
+setting in /etc/shorewall/shorewall.conf</li>
-       <li>You specify whether you want packets from blacklisted hosts logged
+  <li>You specify whether you want packets from blacklisted hosts
-  and at     what syslog level using the <a
+logged and at what syslog level using the <a
 href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
-  /etc/shorewall/shorewall.conf</li>
+/etc/shorewall/shorewall.conf</li>
-       <li>You list the IP addresses/subnets that you wish to blacklist in
+  <li>You list the IP addresses/subnets that you wish to blacklist in <a
-     <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
+ href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
-Beginning   with Shorewall version 1.3.8, you may also specify PROTOCOL and
+Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
 and
 Port numbers/Service names in the blacklist file.<br>
  </li>
-       <li>You specify the interfaces whose incoming packets you want checked
+  <li>You specify the interfaces whose incoming packets you want
-  against     the blacklist using the "<a
+checked against the blacklist using the "<a
- href="Documentation.htm#Interfaces">blacklist</a>"     option in /etc/shorewall/interfaces.</li>
+ href="Documentation.htm#Interfaces">blacklist</a>" option in
-       <li>The black list is refreshed from /etc/shorewall/blacklist by the
+/etc/shorewall/interfaces.</li>
- "<a href="Documentation.htm#Starting">shorewall     refresh</a>" command.</li>
+  <li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
-    
+ href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
 </ul>
 <h2>Dynamic Blacklisting</h2>
-    
+<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
-<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
+blacklisting doesn't use any configuration parameters but is rather
-   doesn't use any configuration parameters but is rather controlled using
+controlled using /sbin/shorewall commands:</p>
  /sbin/shorewall commands:</p>
 <ul>
  <li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
 listed IP addresses to be silently dropped by the firewall.</li>
  <li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
- listed  IP    addresses to be rejected by the firewall.</li>
+listed IP addresses to be rejected by the firewall.</li>
-       <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
+  <li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
-  from hosts    previously blacklisted by a <i>drop</i> or <i>reject</i>
+packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
 command.</li>
  <li>save - save the dynamic blacklisting configuration so that it
-will   be    automatically restored the next time that the firewall is restarted.</li>
+will be automatically restored the next time that the firewall is
 restarted.</li>
  <li>show dynamic - displays the dynamic blacklisting configuration.</li>
 </ul>
-  Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
+Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
 in /etc/shorewall/interfaces.<br>
 <p>Example 1:</p>
 <pre>     <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
-    
+<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
-<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
+192.0.2.125</p>
 <p>Example 2:</p>
 <pre>     <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
-    
+<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
-<p>    Reenables access from 192.0.2.125.</p>
+<p><font size="2">Last updated 11/14/2003 - <a href="support.htm">Tom
-    
+Eastep</a></font></p>
 <p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-   © <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
+© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
-      <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/configuration_file_basics.htm
+++ b/Shorewall-docs/configuration_file_basics.htm
@ -9,17 +9,8 @@
  <title>Configuration File Basics</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Configuration Files<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p><b><font color="#ff0000">Warning: </font>If you copy or edit your
 configuration files on a system running Microsoft Windows, you <u>must</u>
 run them through <a
@ -46,7 +37,7 @@ and Source Network Address Translation (SNAT).</li>
 modules.</li>
  <li>/etc/shorewall/rules - defines rules that are exceptions to the
 overall policies established in /etc/shorewall/policy.</li>
-  <li>/etc/shorewall/nat - defines static NAT
+  <li>/etc/shorewall/nat - defines one-to-one NAT
 rules.</li>
  <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
  <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
@ -254,18 +245,21 @@ that you can then use in some of the other configuration files.</p>
 <p>It is suggested that variable names begin with an upper case letter<font
 size="1"> </font>to distinguish them from variables used internally
 within the Shorewall programs</p>
-<p>Example:</p>
+<p>Example:<br>
 </p>
 <p>&nbsp;&nbsp;&nbsp; /etc/shorewall/params<br>
 </p>
 <blockquote>
-  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
+  <pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
 </blockquote>
-<p><br>
+<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/interfaces record:</p>
 Example (/etc/shorewall/interfaces record):</p>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote>
  <pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
 </blockquote>
 </font>
-<p>The result will be the same as if the record had been written</p>
+<p>&nbsp;&nbsp;&nbsp; The result will be the same as if the record had
 been written</p>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote>
  <pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
@ -331,7 +325,8 @@ The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
 allows you to attempt to restart using an alternate configuration and
 if an
 error occurs to automatically restart the standard configuration.<br>
-<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2"> Updated 11/20/2003 - <a href="support.htm">Tom
 Eastep</a>
 </font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
--- a/Shorewall-docs/copyright.htm
+++ b/Shorewall-docs/copyright.htm
@ -1,46 +1,30 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Copyright</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Copyright<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp;
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+2000, 2001, 2003 Thomas M Eastep<br>
-    <tbody>
+&nbsp;</p>
     <tr>
      <td width="100%">       
      <h1 align="center"><font color="#ffffff">Copyright</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001, 
 2003  Thomas M Eastep<br>
   </p>
 <blockquote>
-  <p align="left">Permission is granted to copy, distribute and/or modify 
+  <p align="left">Permission is granted to copy, distribute and/or
-this    document under the terms of the GNU Free Documentation License, Version 
+modify this document under the terms of the GNU Free Documentation
-1.1 or    any later version published by the Free Software Foundation; with 
+License, Version 1.1 or any later version published by the Free
-no Invariant    Sections, with no Front-Cover, and with no Back-Cover Texts. 
+Software Foundation; with no Invariant Sections, with no Front-Cover,
-A copy of the    license is included in the section entitled "<a
+and with no Back-Cover Texts. A copy of the license is included in the
- href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
+section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
-   </p>
+License</a>".<br>
-  </blockquote>
+&nbsp;</p>
-   <br>
+</blockquote>
- <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/dhcp.htm
+++ b/Shorewall-docs/dhcp.htm
@ -1,85 +1,65 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>DHCP</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">DHCP<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
    <tbody>
     <tr>
      <td width="100%">       
      <h1 align="center"><font color="#ffffff">DHCP</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
 <ul>
  <li>
-    <p align="left">Specify the "dhcp" option on each interface to be  served
+    <p align="left">Specify the "dhcp" option on each interface to be
 served
 by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-    file. This will generate rules that will allow DHCP to and from your firewall
+file. This will generate rules that will allow DHCP to and from your
 firewall
 system. </p>
  </li>
  <li>
-    <p align="left">When starting "dhcpd", you need to list those     interfaces 
+    <p align="left">When starting "dhcpd", you need to list those
-on the run line. On a RedHat system, this is done by modifying     /etc/sysconfig/dhcpd. 
+interfaces on the run line. On a RedHat system, this is done by
-    </p>
+modifying /etc/sysconfig/dhcpd. </p>
  </li>
 </ul>
 <h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
 <ul>
  <li>
    <p align="left">Specify the "dhcp" option for this interface in the
    <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
-  file. This will generate rules that will allow DHCP to and from your firewall 
+file.&nbsp;This will generate rules that will allow DHCP to and from
-system.      </p>
+your firewall system. </p>
  </li>
  <li>
-    <p align="left">If you know that the dynamic address is always going to
+    <p align="left">If you know that the dynamic address is always
-be     in the same subnet, you can specify the subnet address in the interface's 
+going to
-    entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> 
+be in the same subnet, you can specify the subnet address in the
-    file.   </p>
+interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
 file. </p>
  </li>
  <li>
-    <p align="left">If you don't know the subnet address in advance, you should
+    <p align="left">If you don't know the subnet address in advance,
-    specify "detect" for the interface's subnet address in the <a
+you should specify "detect" for the interface's subnet address in the <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
 and start Shorewall after the interface has started. </p>
  </li>
  <li>
-    <p align="left">In the event that the subnet address might change while 
+    <p align="left">In the event that the subnet address might change
-    Shorewall is started, you need to arrange for a "shorewall     refresh" 
+while Shorewall is started, you need to arrange for a "shorewall
-command to be executed when a new dynamic IP address gets     assigned to 
+refresh" command to be executed when a new dynamic IP address gets
-the interface. Check your DHCP client's documentation. </p>
+assigned to the interface. Check your DHCP client's documentation. </p>
  </li>
 </ul>
 <p align="left"><font size="2">Last updated 11/03/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
-   <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/download.htm
+++ b/Shorewall-docs/download.htm
@ -9,17 +9,8 @@
  <title>Download</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall Download<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p><b>I strongly urge you to read and print a copy of the <a
 href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
 for the configuration that most closely matches your own.<br>
@ -86,20 +77,20 @@ removing the file /etc/shorewall/startup_disabled.</b></font></p>
        <td><b>HTTP</b></td>
        <td><b>FTP</b></td>
      </tr>
      <tr>
        <td>SourceForge<br>
        </td>
        <td>sf.net</td>
        <td><a
 href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
        <td>N/A</td>
      </tr>
      <tr>
        <td>Slovak Republic</td>
        <td>Shorewall.net</td>
        <td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
        <td> <a target="_blank"
 href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
      </tr>
      <tr>
        <td style="vertical-align: top;">Washington State, USA</td>
        <td style="vertical-align: top;">Shorewall.net</td>
        <td style="vertical-align: top;"><a
 href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
        <td style="vertical-align: top;"><a
 href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
      </tr>
      <tr>
        <td>Texas, USA</td>
@ -144,7 +135,8 @@ Unavailable)</a></td>
        <td valign="top"><a
 href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
        </td>
-        <td valign="top">N/A<br>
+        <td valign="top"><a href="ftp://ftp.syachile.cl/pub/shorewall"
 target="_top">Browse</a><br>
        </td>
      </tr>
      <tr>
@ -159,11 +151,14 @@ Unavailable)</a></td>
        </td>
      </tr>
      <tr>
-        <td>Washington State, USA</td>
+        <td>Sourceforge - California, USA (Incomplete)<br>
-        <td>Shorewall.net</td>
+        </td>
-        <td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
+        <td>Sourceforge.net<br>
-        <td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
+        </td>
- target="_blank">Browse</a></td>
+        <td><a href="http://sourceforge.net/projects/shorewall">Browse<br>
        </a></td>
        <td>N/A<br>
        </td>
      </tr>
    </tbody>
  </table>
@ -187,7 +182,7 @@ These snapshots have undergone initial testing and will have been
 installed and run at shorewall.net.<br>
  </p>
 </blockquote>
-<p align="left"><font size="2">Last Updated 9/25/2003 - <a
+<p align="left"><font size="2">Last Updated 11/14/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/errata.htm
+++ b/Shorewall-docs/errata.htm
@ -10,43 +10,36 @@
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<p align="center"> </p>
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+<h1 style="text-align: center;">Shorewall Errata<br>
- bgcolor="#3366ff" height="90">
+</h1>
-  <tbody>
+<p align="center"><b><u>IMPORTANT</u></b></p>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
 Issues</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="center"> <b><u>IMPORTANT</u></b></p>
 <ol>
  <li>
    <p align="left"> <b><u>I</u>f you use a Windows system to download
 a corrected script, be sure to run the script through <u> <a
 href="http://www.megaloman.com/%7Ehany/software/hd2u/"
 style="text-decoration: none;"> dos2unix</a></u> after you have moved
-it to your Linux system.</b></p>
+it
 to your Linux system.</b></p>
  </li>
  <li>
    <p align="left"> <b>If you are installing Shorewall for the first
-time and plan to use the .tgz and install.sh script, you can untar
+time and plan to use the .tgz and install.sh script, you can untar the
-the archive, replace the 'firewall' script in the untarred directory
+archive, replace the 'firewall' script in the untarred directory with
-with the one you downloaded below, and then run install.sh.</b></p>
+the one you downloaded below, and then run install.sh.</b></p>
  </li>
  <li>
    <p align="left"> <b>When the instructions say to install a
-corrected firewall script in /usr/share/shorewall/firewall,
+corrected firewall script in /usr/share/shorewall/firewall, you may
-you may rename the existing file before copying in the new file.</b></p>
+rename the existing file before copying in the new file.</b></p>
  </li>
  <li>
    <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
 COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
-BELOW. For example, do NOT install the 1.3.9a firewall script
+BELOW. For example, do NOT install the 1.3.9a firewall script if you
-if you are running 1.3.7c.</font></b><br>
+are
 running 1.3.7c.</font></b><br>
    </p>
  </li>
 </ol>
@ -61,8 +54,7 @@ Version 1.1</a></font></b></li>
  <li> <b><font color="#660066"><a href="#iptables"> Problem with
 iptables version 1.2.3 on RH7.2</a></font></b></li>
  <li> <b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
-RedHat
+RedHat iptables</a></b></li>
 iptables</a></b></li>
  <li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
  <li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
 MULTIPORT=Yes</a></b></li>
@ -75,12 +67,38 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
 <hr>
 <h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
 <h3></h3>
 <h3>1.4.7</h3>
 <ul>
  <li>Using some versions of 'ash' (such as from RH8) as the
 SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
    <br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so: <br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.</li>
  <li>When more than one ICMP type is listed in a rule and your kernel
 includes multiport match support,&nbsp; the firewall fails to
 start.&nbsp;</li>
  <li>Regardless of the setting of LOGUNCLEAN, the value
 LOGUNCLEAN=info was used.</li>
  <li>After the following error message, Shorewall was left in an
 inconsistent state:<br>
    <br>
 Error: Unable to determine the routes through interface xxx<br>
  </li>
 </ul>
 These problems have been corrected in this <a
 href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
 script</a> which may be installed in /var/share/shorewall/firewall as
 described above.<br>
 <h3>1.4.6</h3>
 <ul>
  <li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
 would fail to start with the error "ERROR:&nbsp; Traffic Control
-requires Mangle";
+requires
-that problem has been corrected in <a
+Mangle"; that problem has been corrected in <a
 href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
 firewall script</a> which may be installed in
 /var/share/shorewall/firewall as described above. This problem is also
@ -95,13 +113,10 @@ follows:<br>
 For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
 in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
 firewall script</a> which may be installed in
-/var/share/shorewall/firewall
+/var/share/shorewall/firewall as described above. For all other
-as described above. For all other versions, you will have to edit your
+versions, you will have to edit your 'firewall' script (in versions
-'firewall'
+1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
-script (in versions 1.4.*, it is located in
+function add_tcrule_() and in that function, replace this line:<br>
 /usr/share/shorewall/firewall).
 Locate the function add_tcrule_() and in that function, replace this
 line:<br>
    <br>
 &nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
 $source`&nbsp;</span><br>
@ -116,13 +131,13 @@ Note that there must be a space before the ending quote!<br>
 </ul>
 <h3>1.4.4b</h3>
 <ul>
-  <li>Shorewall is ignoring records in /etc/shorewall/routestopped
+  <li>Shorewall is ignoring records in /etc/shorewall/routestopped that
-that have an empty second column (HOSTS). This problem may be corrected
+have an empty second column (HOSTS). This problem may be corrected by
-by installing <a
+installing <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
 target="_top">this firewall script</a> in
-/usr/share/shorewall/firewall as
+/usr/share/shorewall/firewall
-described above.</li>
+as described above.</li>
  <li>The INCLUDE directive doesn't work when placed in the
 /etc/shorewall/zones file. This problem may be corrected by installing <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@ -138,8 +153,8 @@ though the log level for the console is set properly according to <a
 installing <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
 target="_top">this firewall script</a> in
-/usr/share/shorewall/firewall as
+/usr/share/shorewall/firewall
-described above.<br>
+as described above.<br>
  </li>
 </ul>
 <h3>1.4.4<br>
@ -158,7 +173,8 @@ to allow integration of Shorewall with Fireparse
 of the integration problem. I have implimented a new LOGFORMAT variable
 which will replace LOGMARKER which has completely solved this problem
 and is currently in production with fireparse here at shorewall.net.
-The updated files may be found at <a
+The
 updated files may be found at <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
 See the 0README.txt file for details.<br>
@ -171,8 +187,8 @@ directory created in /tmp is not being removed. This problem may be
 corrected by installing <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
 target="_top">this firewall script</a> in
-/usr/share/shorewall/firewall as
+/usr/share/shorewall/firewall
-described above. <br>
+as described above. <br>
  </li>
 </ul>
 <h3>1.4.1a, 1.4.1 and 1.4.0</h3>
@ -191,7 +207,8 @@ in /etc/shorewall/common.def.<br>
 produces the harmless additional message:<br>
    <br>
 &nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
-unary operator expected<br>
+unary operator
 expected<br>
    <br>
 You may correct the problem by installing <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
@ -202,8 +219,8 @@ You may correct the problem by installing <a
 <h3>1.4.0</h3>
 <ul>
  <li>When running under certain shells Shorewall will attempt to
-create ECN rules even when /etc/shorewall/ecn is empty. You may
+create ECN rules even when /etc/shorewall/ecn is empty. You may either
-either just remove /etc/shorewall/ecn or you can install <a
+just remove /etc/shorewall/ecn or you can install <a
 href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
 correct script</a> in /usr/share/shorewall/firewall as described above.<br>
  </li>
@ -222,17 +239,19 @@ released this buggy iptables in RedHat 7.2.&nbsp;</p>
  <p align="left"> I have built a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
 corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
-also built an <a
+also
 built an <a
 href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
 iptables-1.2.4 rpm which you can download here</a>. If you are
-currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
+currently
-  </b>you upgrade to RedHat 7.2.</p>
+running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
  </b>you
 upgrade to RedHat 7.2.</p>
  <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
-has released an iptables-1.2.4 RPM of their own which
+has released an iptables-1.2.4 RPM of their own which you can download
-you can download from<font color="#ff6633"> <a
+from<font color="#ff6633"> <a
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
-  </font>I have installed this RPM on my firewall and
+have installed this RPM on my firewall and it works fine.</p>
 it works fine.</p>
  <p align="left">If you would like to patch iptables 1.2.3 yourself,
 the patches are available for download. This <a
 href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@ -246,8 +265,8 @@ corrects a problem in handling the&nbsp; TOS target.</p>
    <li>patch -p0 &lt; <i>the-patch-file</i></li>
  </ul>
 </blockquote>
-<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
+<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and RedHat
-RedHat iptables</h3>
+iptables</h3>
 <blockquote>
  <p>Users who use RedHat iptables RPMs and who upgrade to kernel
 2.4.18/19 may experience the following:</p>
@ -259,10 +278,9 @@ user-space debugging code was not updated to reflect recent changes in
 the Netfilter 'mangle' table. You can correct the problem by installing
  <a
 href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
-this iptables RPM</a>. If you are already running a
+this iptables RPM</a>. If you are already running a 1.2.5 version of
-1.2.5 version of iptables, you will need to specify the
+iptables, you will need to specify the --oldpackage option to rpm
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
+(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
 iptables-1.2.5-1.i386.rpm").</p>
 </blockquote>
 <h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
 <p>If you find that rpm complains about a conflict with kernel &lt;=
@ -275,7 +293,8 @@ MULTIPORT=Yes</b></h3>
 <p>The iptables 1.2.7 release of iptables has made an incompatible
 change to the syntax used to specify multiport match rules; as a
 consequence, if you install iptables 1.2.7 you must be running
-Shorewall 1.3.7a or later or:</p>
+Shorewall
 1.3.7a or later or:</p>
 <ul>
  <li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
  <li>if you are running Shorewall 1.3.6 you may install <a
@ -293,23 +312,22 @@ Error message is:<br>
 <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
 The solution is to put "no" in the LOCAL column. Kernel support for
 LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
-2.4.19 kernel contains corrected support
+2.4.19 kernel contains corrected support under a new kernel
-under a new kernel configuraiton option; see <a
+configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
 href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
 <br>
 <h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
-and REJECT
+and
-(also applies to 2.4.21-RC1)</b></h3>
+REJECT (also applies to 2.4.21-RC1)</b></h3>
 Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
 tcp-reset" is broken. The symptom most commonly seen is that REJECT
 rules act just like DROP rules when dealing with TCP. A kernel patch
-and precompiled modules to fix this problem are available at <a
+and
 precompiled modules to fix this problem are available at <a
 href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
 target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
 <hr>
-<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
+<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
-Eastep</a></font>
+Eastep</a></font> </p>
 </p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
 </p>
--- a/Shorewall-docs/fallback.htm
+++ b/Shorewall-docs/fallback.htm
@ -1,77 +1,61 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Fallback and Uninstall</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-  
+<div style="text-align: left;">
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Fallback and Uninstall<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+<h1><strong></strong></h1>
-   <tbody>
+<h1><strong></strong></h1>
-    <tr>
+</div>
     <td width="100%">  
      <h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
      </td>
   </tr>
  </tbody>
 </table>
 <p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
 script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
 script</strong></a><strong>.</strong></p>
-  
+<h2><a name="fallback"></a>Falling Back to the Previous Version of
-<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall 
+Shorewall using the Fallback Script</h2>
-using the Fallback Script</h2>
+<p>If you install Shorewall and discover that it doesn't work for you,
-  
+you
 <p>If you install Shorewall and discover that it doesn't work for you, you
 can fall back to your previously installed version. To do that:</p>
 <ul>
  <li>cd to the distribution directory for the version of Seattle
-Firewall <u>that you are         currently running </u>(NOT the version 
+Firewall <u>that you are currently running </u>(NOT the version that
-       that you want to fall back to).</li>
+you want to fall back to).</li>
  <li>Type "./fallback.sh"</li>
 </ul>
-  
+<h3><strong><u>Warning:</u> The fallback script will replace
-<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
+/etc/shorewall/policy,
-/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
+/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
-and /etc/shorewall/masq with the version of these files from before the current
+/etc/shorewall/proxyarp
 and /etc/shorewall/masq with the version of these files from before the
 current
 version was installed. Any changes to any of these files will be lost.</strong></h3>
-  
+<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
-<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using 
+using rpm</h2>
-rpm</h2>
+<p>If your previous version of Shorewall was installed using RPM, you
-  
+may
-<p>If your previous version of Shorewall was installed using RPM, you may
+fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;"
-fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
+at
-a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
+a root shell prompt (Example: "rpm -Uvh --force
 /downloads/shorewall-3.1=0noarch.rpm"
 would fall back to the 3.1-0 version of Shorewall).</p>
 <h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
 <p>If you no longer wish to use Shorewall, you may remove it by:</p>
 <ul>
  <li>cd to the distribution directory for the version of Shorewall
 that you have installed.</li>
  <li>type "./uninstall.sh"</li>
 </ul>
-  
+<p>If you installed using an rpm, at a root shell prompt type "rpm -e
-<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
+shorewall".</p>
 <p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
- <a href="copyright.htm"><font size="2">Copyright</font> © <font
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
 </body>
 </html>
--- a/Shorewall-docs/gnu_mailman.htm
+++ b/Shorewall-docs/gnu_mailman.htm
@ -1,80 +1,57 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>GNU Mailman</title>
 </head>
-  <body>
+<body>
-  
+<h1 align="center">GNU Mailman/Postfix the Easy Way&nbsp;</h1>
-<table border="0" cellpadding="0" cellspacing="0"
+<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
      <tbody>
       <tr>
        <td width="100%">       
      <h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy 
 Way</font></h1>
        </td>
      </tr>
  </tbody> 
 </table>
 <h1 align="center"> </h1>
 <h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael 
  Tokarev as a suggested addition to the Postfix FAQ.</h4>
 <p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
-    <br>
+<br>
-    A: Mailman uses a setgid wrapper that is designed to be used in system-wide 
+A: Mailman uses a setgid wrapper that is designed to be used in
-  aliases file so that rest of mailman's mail handling processes will run 
+system-wide aliases file so that rest of mailman's mail handling
-with  proper uid/gid. Postfix has an ability to run a command specified in 
+processes will run with proper uid/gid. Postfix has an ability to run a
-an alias as  owner of that alias, thus mailman's wrapper is not needed here. 
+command specified in an alias as owner of that alias, thus mailman's
- The best method  to invoke mailman's mail handling via aliases is to use 
+wrapper is not needed here. The best method to invoke mailman's mail
-separate alias file  especially for mailman, and made it owned by mailman 
+handling via aliases is to use separate alias file especially for
-and group mailman. Like:<br>
+mailman, and made it owned by mailman and group mailman. Like:<br>
-    <br>
+<br>
-    alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
+alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
-    <br>
+<br>
-    Make sure that /var/mailman/aliases.db is owned by mailman user (this 
+Make sure that /var/mailman/aliases.db is owned by mailman user (this
 may be done by executing postalias as mailman userid).<br>
-    <br>
+<br>
-    Next, instead of using mailman-suggested aliases entries with wrapper, 
+Next, instead of using mailman-suggested aliases entries with wrapper,
 use the following:<br>
-    <br>
+<br>
-    instead of<br>
+instead of<br>
-    mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
+mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
-    mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
+mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
-    mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
+mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
-    ...<br>
+...<br>
-    <br>
+<br>
-    use<br>
+use<br>
-    mailinglist: /var/mailman/scripts/post mailinglist<br>
+mailinglist: /var/mailman/scripts/post mailinglist<br>
-    mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
+mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
-    mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
+mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
-    ...</p>
+...</p>
-  
+<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
-<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something 
+something very similar so that no workaround is necessary. See the
-very similar so that no workaround is necessary. See the README.POSTFIX file 
+README.POSTFIX file included with Mailman-2.1.&nbsp;</h4>
 included with Mailman-2.1. </h4>
 <p align="left"><font size="2">Last updated 12/29/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
-     <br>
+Eastep.</font></a></font></p>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/images/Legend.png
+++ b/Shorewall-docs/images/Legend.png
--- a/Shorewall-docs/images/Logo.png
+++ b/Shorewall-docs/images/Logo.png
--- a/Shorewall-docs/images/Logo1.gif
+++ b/Shorewall-docs/images/Logo1.gif
--- a/Shorewall-docs/images/Logo2.gif
+++ b/Shorewall-docs/images/Logo2.gif
--- a/Shorewall-docs/images/Logo3.png
+++ b/Shorewall-docs/images/Logo3.png
--- a/Shorewall-docs/images/MultiPPTP.png
+++ b/Shorewall-docs/images/MultiPPTP.png
--- a/Shorewall-docs/images/MultiZone1.png
+++ b/Shorewall-docs/images/MultiZone1.png
--- a/Shorewall-docs/images/MultiZone1A.png
+++ b/Shorewall-docs/images/MultiZone1A.png
--- a/Shorewall-docs/images/MultiZone1B.png
+++ b/Shorewall-docs/images/MultiZone1B.png
--- a/Shorewall-docs/images/MultiZone2.png
+++ b/Shorewall-docs/images/MultiZone2.png
--- a/Shorewall-docs/images/Netfilter.png
+++ b/Shorewall-docs/images/Netfilter.png
--- a/Shorewall-docs/images/ProtectedBy.png
+++ b/Shorewall-docs/images/ProtectedBy.png
--- a/Shorewall-docs/images/netfilterconf.png
+++ b/Shorewall-docs/images/netfilterconf.png
--- a/Shorewall-docs/images/staticnat.png
+++ b/Shorewall-docs/images/staticnat.png
--- a/Shorewall-docs/images/staticnat.vsd
+++ b/Shorewall-docs/images/staticnat.vsd
--- a/Shorewall-docs/index.htm
+++ b/Shorewall-docs/index.htm
@ -1,22 +1,19 @@
 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
 Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd">
 <html>
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
 <title>Shoreline Firewall</title>
-<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
+<meta http-equiv="Content-Type" content="text/html;
-<meta name="ProgId" content="FrontPage.Editor.Document">
+charset=iso-8859-1"></head>
-</head>
+<frameset rows="110,*" cols="*" frameborder="yes"
-
+border="1"framespacing="0">  <frame
-<frameset cols="242,*">
+src="Banner.html" name="topFrame"scrolling="NO"
-  <frame name="contents" target="main" src="Shorewall_index_frame.htm">
+noresize >
-  <frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
+<frameset cols="242,*" frameborder="yes" border="1" framespacing="0">
-  <noframes>
+<frame src="Shorewall_index_frame.htm" name="contents">    <frame src="seattlefirewall_index.htm"
-  <body>
+name="main">
  <p>This page uses frames, but your browser doesn't support them.</p>
  </body>
  </noframes>
 </frameset>
-
+</frameset>
 <noframes><body><p>This page uses frames, but your browser doesn't
 support them.</p></body></noframes>
 </html>
--- a/Shorewall-docs/kernel.htm
+++ b/Shorewall-docs/kernel.htm
@ -1,45 +1,27 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Kernel Configuration</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-   
+<h1 style="text-align: center;">Kernel Configuration<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p>For information regarding configuring and building GNU/Linux
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+kernels, see
    <tbody>
     <tr>
      <td width="100%">            
      <h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
      </td>
    </tr>
  </tbody> 
 </table>
 <p>For information regarding configuring and building GNU/Linux kernels, see
 <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
 <p>Here's a screen shot of my Network Options Configuration:</p>
 <blockquote>
-  <p> <img border="0" src="images/netopts.jpg" width="609" height="842">
+  <p>&nbsp;<img border="0" src="images/netopts.jpg" width="609"
-   </p>
+ height="842"> </p>
-  </blockquote>
+</blockquote>
-   
+<p>While not all of the options that I've selected are required, they
-<p>While not all of the options that I've selected are required, they should 
+should be sufficient for most applications. Here's an excerpt from the
-be sufficient for most applications. Here's an excerpt from the corresponding 
+corresponding .config file (Note: If you are running a kernel older
-.config file (Note: If you are running a kernel older than 2.4.17, be sure 
+than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
 to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
 <blockquote> <font size="2">
  <p>#<br>
 # Networking options<br>
@ -71,32 +53,29 @@ CONFIG_INET_ECN=y<br>
 CONFIG_SYN_COOKIES=y<br>
  </p>
  </font> </blockquote>
 <p>Here's a screen shot of my Netfilter configuration:</p>
 <blockquote>
  <p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
- width="589" height="849">
+ width="589" height="849"> <br>
  <br>
  </p>
-  </blockquote>
+</blockquote>
-    
+<p>Note that I have built everything I need as modules. You can also
-<p>Note that I have built everything I need as modules. You can also build
+build
-everything into your kernel but if you want to be able to deal with FTP running
+everything into your kernel but if you want to be able to deal with FTP
-on a non-standard port then I recommend that you modularize FTP Protocol
+running
 on a non-standard port then I recommend that you modularize FTP
 Protocol
 support.<br>
 </p>
 <p>Here's the corresponding part of my .config file:<br>
 </p>
 <blockquote>
-  <pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
+  <pre>#<br>#&nbsp;&nbsp; IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
-   </blockquote>
+</blockquote>
 <p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-  <a href="copyright.htm"><font size="2">Copyright</font> © <font
+<a href="copyright.htm"><font size="2">Copyright</font> © <font
- size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
+ size="2">2001-2003,&nbsp; Thomas M. Eastep.</font></a><br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/mailing_list.htm
+++ b/Shorewall-docs/mailing_list.htm
@ -15,7 +15,8 @@
 border="0">
  <tbody>
    <tr>
-      <td width="33%" valign="middle" align="left">
+      <td width="33%" valign="middle" align="left"
 style="background-color: rgb(255, 255, 255);">
      <h1 align="center"><a
 href="http://www.centralcommand.com/linux_products.html"><img
 src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -23,15 +24,18 @@
      <a href="http://www.gnu.org/software/mailman/mailman.html"> <img
 border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
 height="35" alt=""> </a>
-      <p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
+      <p align="right" style="background-color: rgb(255, 255, 255);"><font
 color="#ffffff"><b>&nbsp; </b></font><a
 href="http://razor.sourceforge.net/"><img src="images/razor.gif"
 alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
      </p>
      </td>
-      <td valign="middle" width="34%" align="center">
+      <td valign="middle" width="34%" align="center"
-      <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
+ style="color: rgb(51, 0, 51); background-color: rgb(255, 255, 255);">
      <h1 align="center">Shorewall Mailing Lists</h1>
      </td>
-      <td valign="middle" width="33%"> <a
+      <td valign="middle" width="33%"
 style="background-color: rgb(255, 255, 255);"> <a
 href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
 align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
      </a><br>
@ -50,7 +54,7 @@
 <big><span style="color: rgb(255, 0, 0);"><span
 style="font-weight: bold;">If you are reporting a problem or asking a
 question, you are at the wrong place -- please see the <a
- href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
+ href="http://shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
 <br>
 If you experience problems with any of these lists,
 please let <a href="mailto:postmaster@shorewall.net">me</a>
@ -148,7 +152,7 @@ of general interest to the Shorewall user community is also posted to
 this list.</p>
 <p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
 to this list, please see the <a
- href="http://www.shorewall.net/support.htm">problem
+ href="http://shorewall.net/support.htm">problem
 reporting guidelines</a>.<br>
 </b></big></p>
 <p align="left">To subscribe: <a
@ -158,7 +162,9 @@ reporting guidelines</a>.<br>
 </ul>
 <p align="left"> To post to the list, post to <a
 href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
-<br>
+<span style="font-weight: bold;">IMPORTANT: </span>If you are not
 subscribed to the list, please say so -- otherwise, you will not be
 included in any replies.<br>
 </p>
 <p align="left">The list archives are at <a
 href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
@ -230,8 +236,8 @@ to be emailed to you.</p>
 <h2 align="left">Frustrated by having to Rebuild Mailman to use it with
 Postfix?</h2>
 <p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
-<p align="left"><font size="2">Last updated 9/17/2003 - <a
+<p align="left"><font size="2">Last updated 10/27/2003 - <a
- href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
+ href="http://shorewall.net/support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
 ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/myfiles.htm
+++ b/Shorewall-docs/myfiles.htm
@ -9,18 +9,9 @@
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber1"
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">About My Network</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <blockquote> </blockquote>
 <h1 style="text-align: center;">About My Network<br>
 </h1>
 <a href="http://www.redhat.com"><img
 style="border: 0px solid ; width: 88px; height: 31px;"
 src="images/poweredby.png" title="" alt="(RedHat Logo)"> </a><a
@ -51,7 +42,7 @@
 <h1> </h1>
 <blockquote>
  <p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
-use a combination of Static NAT and Proxy ARP, neither of which are
+use a combination of One-to-one NAT and Proxy ARP, neither of which are
 relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
 If you have just a single public IP address, most of what you see here
 won't apply to your setup so beware of copying parts of this
@ -70,9 +61,10 @@ and a Wireless network connected to eth3 (192.168.3.0/24).</p>
  <p> I use:<br>
  </p>
  <ul>
-    <li>Static NAT for Ursa (my XP System) - Internal address
+    <li>One-to-one NAT for Ursa (my XP System) - Internal address
 192.168.1.5 and external address 206.124.146.178.</li>
-    <li>Static NAT for EastepLaptop (My work system). Internal address
+    <li>One-to-one NAT for EastepLaptop (My work system). Internal
 address
 192.168.1.7 and external address 206.124.146.180.<br>
    </li>
    <li>SNAT through the primary gateway address
@ -181,7 +173,8 @@ my Ethernet interfaces. </p>
 </blockquote>
 <h3>Masq File: </h3>
 <blockquote>
-  <p> Although most of our internal systems use static NAT, my wife's
+  <p> Although most of our internal systems use one-to-one NAT, my
 wife's
 system (192.168.1.4) uses IP Masquerading (actually SNAT) as does my
 personal system (192.168.1.3), our laptop (192.168.3.8) and
 visitors with laptops.<br>
@ -244,7 +237,7 @@ file.<br>
 </div>
 <pre style="margin-left: 40px;">#!/bin/sh<br><br>case $1 in<br>	eth1)<br>		ip route add 206.124.146.177 dev eth1<br>		;;<br>esac<br></pre>
 <pre style="margin-left: 40px;"><span style="font-family: sans-serif;"></span></pre>
-<p><font size="2">Last updated 10/03/2003 - <a href="support.htm">Tom
+<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
 Eastep</a></font> </p>
 <a href="copyright.htm"><font size="2">Copyright</font> © <font
 size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
--- a/Shorewall-docs/ping.html
+++ b/Shorewall-docs/ping.html
@ -7,18 +7,9 @@
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 <h1 style="text-align: center;">ICMP Echo-request (Ping)<br>
 </h1>
 Shorewall 'Ping' management has evolved over time with the latest
 change coming in Shorewall version 1.4.0. To find out which version of
 Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
--- a/Shorewall-docs/ports.htm
+++ b/Shorewall-docs/ports.htm
@ -1,201 +1,147 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Port Information</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
-  <body>
+<body>
-                
+<h1 style="text-align: center;">Ports Required for Various
-<table border="0" cellpadding="0" cellspacing="0"
+Services/Applications<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
               <tbody>
                <tr>
                 <td width="100%">                                      
      <h1 align="center"><font color="#ffffff">Ports required for Various
      Services/Applications</font></h1>
                 </td>
               </tr>
  </tbody>        
 </table>
 <p>In addition to those applications described in <a
- href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
+ href="Documentation.htm">the /etc/shorewall/rules documentation</a>,
-      are some other services/applications that you may need to configure
+here are some other services/applications that you may need to
 configure
 your firewall to accommodate.</p>
 <p>NTP (Network Time Protocol)</p>
 <blockquote>
  <p>UDP Port 123</p>
-             </blockquote>
+</blockquote>
 <p>rdate</p>
 <blockquote>
  <p>TCP Port 37</p>
-             </blockquote>
+</blockquote>
 <p>UseNet (NNTP)</p>
 <blockquote>
  <p>TCP Port 119</p>
-             </blockquote>
+</blockquote>
 <p>DNS</p>
 <blockquote>
-  <p>UDP Port 53. If you are configuring a DNS client, you will probably
+  <p>UDP Port 53. If you are configuring a DNS client, you will
 probably
 want to open TCP Port 53 as well.<br>
-               If you are configuring a server, only open TCP Port 53 if
+If you are configuring a server, only open TCP Port 53 if
 you will return long replies to queries or if you need to enable ZONE
-transfers. In     the  latter   case, be sure that your server is properly
+transfers.&nbsp;In the latter case, be sure that your server is
 properly
 configured.</p>
-             </blockquote>
+</blockquote>
-                
+<p>ICQ&nbsp;&nbsp;&nbsp;</p>
 <p>ICQ   </p>
 <blockquote>
-  <p>UDP Port 4000. You will also need to open a range of TCP ports which
+  <p>UDP Port 4000. You will also need to open a range of TCP ports
-      you   can specify to your ICQ client. By default, clients use 4000-4100.</p>
+which you can specify to your ICQ client. By default, clients use
-             </blockquote>
+4000-4100.</p>
-                
+</blockquote>
 <p>PPTP</p>
 <blockquote>
  <p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
 href="PPTP.htm">Lots more information here</a>).</p>
-             </blockquote>
+</blockquote>
 <p>IPSEC</p>
 <blockquote>
-  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
+  <p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP
-      500.    These should be opened in both directions (Lots more information
+Port 500. These should be opened in both directions (Lots more
-       <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
+information <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
-             </blockquote>
+</blockquote>
 <p>SMTP (Email)</p>
 <blockquote>
-  <p> TCP Port 25.</p>
+  <p>&nbsp;TCP Port 25.</p>
-             </blockquote>
+</blockquote>
 <p>RealPlayer<br>
-     </p>
+</p>
 <blockquote>
  <p>UDP Port 6790 inbound<br>
  </p>
-     </blockquote>
+</blockquote>
 <p>POP3</p>
 <blockquote>
  <p>TCP Port 110 (Secure = TCP Port 995)<br>
  </p>
-   </blockquote>
+</blockquote>
 <p>IMAP<br>
-   </p>
+</p>
 <blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
-   </blockquote>
+</blockquote>
 <p>TELNET</p>
 <blockquote>
  <p>TCP Port 23.</p>
-             </blockquote>
+</blockquote>
 <p>SSH</p>
 <blockquote>
  <p>TCP Port 22.</p>
-             </blockquote>
+</blockquote>
 <p>Auth (identd)</p>
 <blockquote>
  <p>TCP Port 113</p>
-             </blockquote>
+</blockquote>
 <p>Web Access</p>
 <blockquote>
  <p>TCP Ports 80 and 443.</p>
-             </blockquote>
+</blockquote>
 <p>FTP<br>
-  </p>
+</p>
 <blockquote>
-  <p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
+  <p>TCP port 21 plus <a href="FTP.html">look here for much more
 information</a>.<br>
  </p>
 </blockquote>
 <p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
 <blockquote> </blockquote>
 <blockquote>
  <p>TCP Ports 137, 139 and 445.<br>
-               UDP Ports 137-139.<br>
+UDP Ports 137-139.<br>
  <br>
-               Also, <a href="samba.htm">see this page</a>.</p>
+Also, <a href="samba.htm">see this page</a>.</p>
-             </blockquote>
+</blockquote>
 <p>Traceroute</p>
 <blockquote>
  <p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
-   ICMP type 8 ('ping')<br>
+ICMP type 8 ('ping')<br>
  </p>
-             </blockquote>
+</blockquote>
 <p>NFS<br>
-         </p>
+</p>
 <blockquote>
-  <p>I personally use the following rules for opening access from zone z1
+  <p>I personally use the following rules for opening access from zone
-    to a server with IP address a.b.c.d in zone z2:<br>
+z1 to a server with IP address a.b.c.d in zone z2:<br>
  </p>
  <pre>ACCEPT	z1	z2:a.b.c.d	udp	111<br>ACCEPT	z1	z2:a.b.c.d	tcp	111<br>ACCEPT	z1	z2:a.b.c.d	udp	2049<br>ACCEPT	z1	z2:a.b.c.d	udp	32700:<br></pre>
-         </blockquote>
+</blockquote>
 <blockquote>
-  <p>Note that my rules only cover NFS using UDP (the normal case). There
+  <p>Note that my rules only cover NFS using UDP (the normal case).
-    is lots of additional information at    <a
+There is lots of additional information at&nbsp; <a
- href="http://nfs.sourceforge.net/nfs-howto/security.html">   http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
+ href="http://nfs.sourceforge.net/nfs-howto/security.html">
-             </blockquote>
+http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
-                
+</blockquote>
 <p>VNC<br>
-      </p>
+</p>
 <blockquote>
  <p>TCP port 5900 + &lt;display number&gt;</p>
-      </blockquote>
+</blockquote>
-           
+<p>Didn't find what you are looking for -- have you looked in your own
-<p>Didn't find what you are looking for -- have you looked in your own /etc/services 
+/etc/services file? </p>
   file? </p>
 <p>Still looking? Try <a
- href="http://www.networkice.com/advice/Exploits/Ports">   http://www.networkice.com/advice/Exploits/Ports</a></p>
+ href="http://www.networkice.com/advice/Exploits/Ports">
-                
+http://www.networkice.com/advice/Exploits/Ports</a></p>
 <p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
 href="support.htm">Tom Eastep</a></font> </p>
-             <a href="copyright.htm"><font size="2">Copyright</font>   ©
+<a href="copyright.htm"><font size="2">Copyright</font> ©
 <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/quotes.htm
+++ b/Shorewall-docs/quotes.htm
@ -1,153 +1,134 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Quotes from Shorewall Users</title>
 </head>
-  <body>
+<body>
-      
+<h1 style="text-align: center;">Quotes from Shorewall Users<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
        <tbody>
         <tr>
          <td width="100%">                     
      <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
          </td>
        </tr>
  </tbody>   
 </table>
 <ul>
-  <li><font size="3">"I have fought with IPtables for untold hours. First
+  <li><font size="3">"I have fought with IPtables for untold hours.
-I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield, 
+First
-which also worked for 80%. Then I set out to write my own IPtables parser 
+I tried the SuSE firewall, which worked for 80% of what I needed. Then
-in shell and awk, which was a lot of fun but never got me past the "hey, cool"
+gShield, which also worked for 80%. Then I set out to write my own
-stage. Then I discovered Shorewall. After about an hour, everything just
+IPtables parser in shell and awk, which was a lot of fun but never got
 me past the "hey, cool"
 stage. Then I discovered Shorewall. After about an hour, everything
 just
 worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
    <br>
  </li>
-  <li>"The configuration is intuitive and flexible, and much easier than
+  <li>"The configuration is intuitive and flexible, and much easier
-any  of the other iptables-based firewall programs out there. After sifting
+than
-through  many other scripts, it is obvious that yours is the most well thought-out 
+any of the other iptables-based firewall programs out there. After
- and complete one available." -- BC, USA<br>
+sifting
 through many other scripts, it is obvious that yours is the most well
 thought-out and complete one available." -- BC, USA<br>
    <br>
  </li>
-  <li>"I just installed Shorewall after weeks of messing with       ipchains/iptables 
+  <li>"I just installed Shorewall after weeks of messing with
-  and I had it up and running in under 20 minutes!"       -- JL, Ohio<br>
+ipchains/iptables and I had it up and running in under 20 minutes!" --
 JL, Ohio<br>
    <br>
  </li>
-  <li>"My case was almost like [the one above]. Well. instead of 'weeks'
+  <li>"My case was almost like [the one above]. Well. instead of
 'weeks'
 it was 'months' for me, and I think I needed two minutes more:<br>
  </li>
 </ul>
 <ul>
  <ul>
-    <li>One to see that I had no Internet access from the firewall itself.</li>
+    <li>One to see that I had no Internet access from the firewall
 itself.</li>
  </ul>
  <ul>
-    <li>Other to see that this was the default configuration, and it was 
+    <li>Other to see that this was the default configuration, and it
-enough  to uncomment a line in /etc/shorewall/policy.<br>
+was enough to uncomment a line in /etc/shorewall/policy.<br>
    </li>
  </ul>
 </ul>
 <ul>
  <li> Minutes instead of months! Congratulations and thanks for such
-a simple  and well documented thing for something as huge as iptables." --
+a simple and well documented thing for something as huge as iptables."
 --
 JV, Spain. </li>
 </ul>
 <ul>
  <li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
-  without   any problems. Your documentation is great and I really appreciate
+without any problems. Your documentation is great and I really
-your  network configuration info. That really helped me out alot.       THANKS!!!" 
+appreciate
-  -- MM.           </li>
+your network configuration info. That really helped me out alot.
 THANKS!!!" -- MM. </li>
 </ul>
 <ul>
  <li>"[Shorewall is a] great, great project. I've used/tested may
-firewall   scripts but this one is till now the best." -- B.R,       Netherlands
+firewall scripts but this one is till now the best." -- B.R,
-        </li>
+Netherlands </li>
 </ul>
 <ul>
  <li>"Never in my +12 year career as a sys admin have I witnessed
-someone   so relentless in developing a secure, state of the art, safe and
+someone so relentless in developing a secure, state of the art, safe
-      useful   product as the Shorewall firewall package for no cost or obligation 
+and useful product as the Shorewall firewall package for no cost or
-  involved." -- Mario Kerecki, Toronto           </li>
+obligation involved." -- Mario Kerecki, Toronto </li>
 </ul>
 <ul>
  <li>"one time more to report, that your great shorewall in the latest
-  release        1.2.9 is working fine for me with SuSE Linux 7.3! I now
+release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
 have 7 machines up and running with shorewall on several versions
 - starting with 1.2.2 up to the new 1.2.9 and I never have encountered
 any problems!" -- SM, Germany</li>
 </ul>
 <ul>
  <li>"You have the best support of any other package I've ever used."
-  -- SE, US           </li>
+-- SE, US </li>
 </ul>
 <ul>
-  <li>"Because our company has information which has been classified by the 
+  <li>"Because our company has information which has been classified by
- national government as secret, our security doesn't stop by putting a fence 
+the national government as secret, our security doesn't stop by putting
-   around our company. Information security is a hot issue. We also make use
+a fence around our company. Information security is a hot issue. We
-  of  checkpoint firewalls, but not all of the internet servers are guarded 
+also make use of checkpoint firewalls, but not all of the internet
-  by  checkpoint, some of them are running....Shorewall." -- Name withheld 
+servers are guarded by checkpoint, some of them are
- by request,  Europe</li>
+running....Shorewall." -- Name withheld by request, Europe</li>
 </ul>
 <ul>
-  <li>"thanx for all your efforts you put into shorewall - this product stands 
+  <li>"thanx for all your efforts you put into shorewall - this product
-  out  against a lot of commercial stuff i´ve been working with in terms of
+stands out against a lot of commercial stuff i´ve been working with in
-   flexibillity, quality &amp; support" -- RM, Austria</li>
+terms of flexibillity, quality &amp; support" -- RM, Austria</li>
 </ul>
 <ul>
-  <li>"I have never seen such a complete firewall package that is so easy
+  <li>"I have never seen such a complete firewall package that is so
 easy
 to configure. I searched the Debian package system for firewall scripts
 and Shorewall won hands down." -- RG, Toronto</li>
 </ul>
 <p></p>
 <ul>
-  <li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
+  <li>"My respects... I've just found and installed Shorewall 1.3.3-1
-it   is a  wonderful piece of software. I've just sent out an email to about 
+and
-30  people  recommending it. :-)<br>
+it is a wonderful piece of software. I've just sent out an email to
 about 30 people recommending it. :-)<br>
    <br>
-While I had previously taken the time (maybe 40 hours) to really understand 
+While I had previously taken the time (maybe 40 hours) to really
-   ipchains, then spent at least an hour per server customizing and carefully 
+understand ipchains, then spent at least an hour per server customizing
-   scrutinizing firewall rules, I've got shorewall running on my home firewall, 
+and carefully scrutinizing firewall rules, I've got shorewall running
-   with rulesets and policies that I know make sense, in under 20 minutes." 
+on my home firewall, with rulesets and policies that I know make sense,
-  -- RP,  Guatamala<br>
+in under 20 minutes." -- RP, Guatamala<br>
  </li>
 </ul>
-      
+<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
-<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003 
+7/1/2003 - <a href="support.htm">Tom Eastep</a> </font> </p>
  - <a href="support.htm">Tom Eastep</a>      </font>                    
    </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-   © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-       <br>
+<br>
-     <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/samba.htm
+++ b/Shorewall-docs/samba.htm
@ -9,17 +9,8 @@
  <title>Samba</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Samba/SMB<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Samba</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p>If you wish to run Samba on your firewall and access shares between
 the firewall and local hosts, you need the following rules:</p>
 <h4>/etc/shorewall/rules:</h4>
@ -95,7 +86,98 @@ DEST</b></td>
    </tbody>
  </table>
 </blockquote>
-<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
+<p>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</p>
 <h4>/etc/shorewall/rules:</h4>
 <blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
  <table border="2" cellpadding="2" style="border-collapse: collapse;">
    <tbody>
      <tr>
        <td><b>ACTION</b></td>
        <td><b>SOURCE</b></td>
        <td><b>DEST</b></td>
        <td><b> PROTO</b></td>
        <td><b>DEST<br>
 PORT(S)</b></td>
        <td><b>SOURCE<br>
 PORT(S)</b></td>
        <td><b>ORIGINAL<br>
 DEST</b></td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>Z1<br>
        </td>
        <td>Z2<br>
        </td>
        <td>udp</td>
        <td>137:139</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>Z1<br>
        </td>
        <td>Z2<br>
        </td>
        <td>tcp</td>
        <td>137,139,445</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>Z1<br>
        </td>
        <td>Z2<br>
        </td>
        <td>udp</td>
        <td>1024:</td>
        <td>137</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>Z2<br>
        </td>
        <td>Z1<br>
        </td>
        <td>udp</td>
        <td>137:139</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>Z2<br>
        </td>
        <td>Z1<br>
        </td>
        <td>tcp</td>
        <td>137,139,445</td>
        <td>&nbsp;</td>
        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>ACCEPT</td>
        <td>Z2<br>
        </td>
        <td>Z1<br>
        </td>
        <td>udp</td>
        <td>1024:</td>
        <td>137</td>
        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
 </blockquote>
 <br>
 To make network browsing ("Network Neighborhood") work properly between
 Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I
 run Samba on my firewall to handle browsing between two zones connected
 to my firewall. Details are <a href="myfiles.htm">here</a>.<br>
 <p><font size="2">Last modified 10/22/2002 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
 © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
--- a/Shorewall-docs/seattlefirewall_index.htm
+++ b/Shorewall-docs/seattlefirewall_index.htm
@ -7,30 +7,38 @@
  <base target="_self">
 </head>
 <body>
 <table cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#3366ff">
  <tbody>
    <tr>
      <td width="33%" height="90" valign="middle" align="center"><a
 href="http://www.cityofshoreline.com"> </a>
      <div align="center"> <img src="images/Logo1.png"
 alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
      </td>
    </tr>
  </tbody>
 </table>
 <div align="center">
 <div align="center"> </div>
 <center>
 <div align="center"> </div>
 <table border="0" cellpadding="0" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber4">
+ style="border-collapse: collapse; width: 100%; height: 100%;"
 id="AutoNumber4">
  <tbody>
    <tr>
      <td width="90%">
-      <h2>Introduction<br>
+      <h2>Site Problem</h2>
 The server that normally hosts www.shorewall.net and ftp.shorewall.net
 is currently down. Until it is back up, a small server with very
 limited bandwidth is being used temporarly. You will likely experience
 better response time from the <a
 href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
 or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
 Sorry for the inconvenience.<br>
      <br>
      <h2>Introduction to Shorewall<br>
      </h2>
      <h3>This is the Shorewall 1.4 Web Site</h3>
 The information on this site applies only to 1.4.x releases of
 Shorewall. For older versions:<br>
      <ul>
        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
 target="_top">here.</a></li>
        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>.</li>
      </ul>
      <h3>Glossary<br>
      </h3>
      <ul>
        <li><a href="http://www.netfilter.org">Netfilter</a> - the
 packet filter facility built into the 2.4 and later Linux kernels.</li>
@ -40,12 +48,12 @@ and control that facility. Netfilter can be used in ipchains
 compatibility mode.<br>
        </li>
        <li>iptables - the utility program used to configure and
-control
+control Netfilter. The term 'iptables' is often used to refer to the
-Netfilter. The term 'iptables' is often used to refer to the
+combination of iptables+Netfilter (with Netfilter not in ipchains
-combination of iptables+Netfilter (with Netfilter not in
+compatibility mode).</li>
 ipchains compatibility mode).<br>
        </li>
      </ul>
      <h3>What is Shorewall?<br>
      </h3>
 The Shoreline Firewall, more commonly known as "Shorewall", is
 high-level tool for configuring Netfilter. You describe your
 firewall/gateway requirements using entries in a set of configuration
@ -57,367 +65,237 @@ system. Shorewall does not use Netfilter's ipchains compatibility mode
 and can thus take advantage of Netfilter's connection state tracking
 capabilities.<br>
      <br>
 Shorewall is <span style="text-decoration: underline;">not</span> a
 daemon. Once Shorewall has configured Netfilter, it's job is complete
 although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
 program can be used at any time to monitor the Netfilter firewall</a>.<br>
      <h3>Getting Started with Shorewall</h3>
 New to Shorewall? Start by selecting the <a
 href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
 closely match your environment and follow the step by step instructions.<br>
      <h3>Looking for Information?</h3>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
 Index</a> is a good place to start as is the Quick Search in the frame
 above.
      <h3>License<br>
      </h3>
 This program is free software; you can redistribute it and/or modify it
 under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
-2 of the GNU
+2 of the GNU General Public License</a> as published by the Free
-General Public License</a> as published by the Free Software Foundation.<br>
+Software Foundation.<br>
      <p> This program is distributed in the hope that it will be
 useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.<br>
+General
 Public License for more details.<br>
      <br>
 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
 675 Mass Ave, Cambridge, MA 02139, USA</p>
      <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
-Eastep</a></p>
+Eastep</a><br>
      <h2>This is the Shorewall 1.4 Web Site</h2>
 The information on this site applies only to 1.4.x releases of
 Shorewall. For older versions:<br>
      <ul>
        <li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
 target="_top">here.</a></li>
        <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
 target="_top">here</a>.<br>
        </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
 New to Shorewall? Start by selecting the <a
 href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
 closely match your environment
 and follow the step by step instructions.<br>
      <h2>Looking for Information?</h2>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
 Index</a> is a good place to start as is the Quick Search to your
 right.
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
 If so, the documentation<b> </b>on
 this site will not apply directly to your setup. If you want
 to use the documentation that you find here, you will want to consider
 uninstalling what you have and installing a setup that matches the
 documentation on this site. See the <a href="two-interface.htm">Two-interface
 QuickStart Guide</a> for details.<br>
      <h2>News</h2>
      <p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
 style="border: 0px solid ; width: 28px; height: 12px;"
 src="images/new10.gif" alt="(New)" title=""><br>
      </b></p>
      <b>Problems Corrected since version 1.4.6 (Those in bold font
 were corrected since 1.4.7 RC2)</b><br>
      <ol>
        <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
 variable was being tested before it was set.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of
 the tcrules file. Previously, these addresses resulted in an invalid
 iptables command.</li>
        <li>The "shorewall stop" command is now disabled when
 /etc/shorewall/startup_disabled exists. This prevents people from
 shooting themselves in the foot prior to having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages
 during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
 were being added to a PPP interface; the addresses were successfully
 added in spite of the messages.<br>
 &nbsp;&nbsp;&nbsp; <br>
 The firewall script has been modified to eliminate the error messages</li>
        <li>Interface-specific dynamic blacklisting chains are
 now displayed by "shorewall monitor" on the "Dynamic Chains" page
 (previously named "Dynamic Chain").</li>
        <li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
        <li>The 'shorewall reject' and
 'shorewall drop' commands now delete any existing rules for the subject
 IP address before adding a new DROP or REJECT rule. Previously, there
 could be many rules for the same IP address in the dynamic chain so
 that multiple 'allow' commands were required to re-enable traffic
 to/from the address.</li>
        <li>When ADD_SNAT_ALIASES=Yes in
 shorewall.conf, the following entry in /etc/shorewall/masq resulted in
 a startup error:<br>
 &nbsp;<br>
 &nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
 206.124.146.20-206.124.146.24<br>
          <br>
        </li>
        <li>Shorewall previously choked over
 IPV6 addresses configured on interfaces in contexts where Shorewall
 needed to detect something about the interface (such as when "detect"
 appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
        <li>Shorewall will now load
 module files that are formed from the module name by appending ".o.gz".</li>
        <li>When Shorewall adds a route to a
 proxy ARP host and such a route already exists, two routes resulted
 previously. This has been corrected so that the existing route is
 replaced if it already exists.</li>
        <li>The rfc1918 file has been
 updated to reflect recent allocations.</li>
        <li>The documentation of the
 USER SET column in the rules file has been corrected.</li>
        <li>If there is no policy
 defined for
 the zones specified in a rule, the firewall script previously
 encountered a shell syntax error:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 Now, the absence of a policy generates an error message and the
 firewall is stopped:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
 &lt;source&gt; to zone &lt;dest&gt;<br>
          <br>
        </li>
        <li>Previously, if neither
 /etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
 would fail to start and would not remove the lock file. Failure to
 remove the lock file resulted in the following during subsequent
 attempts to start:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 &nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
 &nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
 &nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
 &nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
 &nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
          <br>
 Shorewall now reports a fatal error if neither of these two files exist
 and correctly removes the lock fille.</li>
        <li>The order of processing
 the
 various options has been changed such that blacklist entries now take
 precedence over the 'dhcp' interface setting.</li>
        <li>The log message generated
 from the
 'logunclean' interface option has been changed to reflect a disposition
 of LOG rather than DROP.</li>
        <li><span style="font-weight: bold;">When a user name and/or a
 group
 name was specified in the USER SET column and the destination zone was
 qualified with a IP address, the user and/or group name was not being
 used to qualify the rule.<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp; Example:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
          <br>
          </span></li>
        <li><span style="font-weight: bold;">The /etc/shorewall/masq
 file has had the spurious "/" character at the front removed.</span></li>
      </ol>
      <b>Migration Issues:</b><br>
      <ol>
        <li>Shorewall IP Traffic Accounting has changed since snapshot
 20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
 details.</li>
        <li>The Uset Set capability introduced in SnapShot 20030821 has
 changed -- see the <a href="UserSets.html">User Set page</a> for
 details.</li>
        <li>The per-interface Dynamic Blacklisting facility introduced
 in the first post-1.4.6 Snapshot has been removed. The facility had too
 many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
        </li>
      </ol>
      <b>New Features:</b><br>
      <ol>
        <li>Thanks to Steve Herber, the 'help' command can now give
 command-specific help (e.g., shorewall help &lt;command&gt;).</li>
        <li>A new option "ADMINISABSENTMINDED" has been added to
 /etc/shorewall/shorewall.conf. This option has a default value of "No"
 for existing users which causes Shorewall's 'stopped' state &nbsp;to
 continue as it has been; namely, in the stopped state only traffic
 to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
          <br>
 With ADMINISABSENTMINDED=Yes (the default for new installs), in
 addition to traffic to/from the hosts listed in
 /etc/shorewall/routestopped, Shorewall will allow:<br>
          <br>
 &nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
 &nbsp;&nbsp; b) All traffic that is part of or related to an
 already-existing connection.<br>
          <br>
 &nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
 entered through an ssh session will not kill the session.<br>
          <br>
 &nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
 possible for people to shoot themselves in the foot.<br>
          <br>
 &nbsp;Example:<br>
          <br>
 &nbsp;/etc/shorewall/nat:<br>
          <br>
 &nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
 eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
          <br>
 &nbsp;/etc/shorewall/rules:<br>
          <br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
 loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
          <br>
 From a remote system, I ssh to 206.124.146.178 which establishes an SSH
 connection with local system 192.168.1.5. I then create a second SSH
 connection
 from that computer to the firewall and confidently type "shorewall
 stop".
 As part of its stop processing, Shorewall removes eth0:0 which kills my
 SSH
 connection to 192.168.1.5!!!</li>
        <li>Given the wide range of VPN software, I can never hope to
 add specific support for all of it. I have therefore decided to add
 "generic" tunnel support.<br>
 &nbsp;<br>
 Generic tunnels work pretty much like any of the other tunnel types.
 You usually add a zone to represent the systems at the other end of the
 tunnel and you add the appropriate rules/policies to<br>
 implement your security policy regarding traffic to/from those systems.<br>
 &nbsp;<br>
 In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
          <br>
 generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
 address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
 &nbsp;<br>
 where:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
 used by the tunnel<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
 is 'udp' or 'tcp' then this is the destination port number used by the
 tunnel.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
 the remote tunnel gateway<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
 address of the remote tunnel gateway.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
 Optional. A comma-separated list of zone names. If specified, the
 remote gateway is to be considered part of these zones.</li>
        <li>An 'arp_filter' option has been added to the
 /etc/shorewall/interfaces file. This option causes
 /proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
 result that this interface will only answer ARP 'who-has' requests from
 hosts that are routed out through that interface. Setting this option
 facilitates testing of your firewall where multiple firewall interfaces
 are connected to the same HUB/Switch (all interfaces connected to the
 single HUB/Switch should have this option specified). Note that using
 such a configuration in a production environment is strongly
 recommended against.</li>
        <li>The ADDRESS column in /etc/shorewall/masq may now include a
 comma-separated list of addresses and/or address ranges. Netfilter will
 use all listed addresses/ranges in round-robin fashion. \</li>
        <li>An /etc/shorewall/accounting file has been added to allow
 for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
 documentation</a> for a description of this facility.</li>
        <li>Bridge interfaces (br[0-9]) may now be used in
 /etc/shorewall/maclist.</li>
        <li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
 /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
 rules, rate limiting occurs in the nat table DNAT rule; the
 corresponding ACCEPT rule in the filter table is not rate limited. If
 you want to limit the filter table rule, you will need o create two
 rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
 separately.<br>
 &nbsp;<br>
          <span style="font-weight: bold;">Warning: </span>When rate
 limiting is specified on a rule with "all" in the SOURCE or DEST
 fields, the limit will apply to each pair of zones individually rather
 than as a single limit for all pairs of covered by the rule.<br>
 &nbsp;<br>
 To specify a rate limit, <br>
          <br>
 a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
 &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
 &nbsp;<br>
 &nbsp;
 where<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
 &lt;interval&gt;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
 accepted within an &lt;interval&gt;. If not given, the default of 5 is
 assumed.<br>
 &nbsp;<br>
 There may be no white space between the ACTION and "&lt;" nor there may
 be any white space within the burst specification. If you want to
 specify logging of a rate-limited rule, the ":" and log level comes
 after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
          <br>
 b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
 file. You may specify the rate limit there in the format:<br>
          <br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
 &nbsp;<br>
 Let's take an example:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
 tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
 &nbsp;&nbsp;&nbsp; <br>
 The first time this rule is reached, the packet will be accepted; in
 fact, since the burst is 4, the first four packets will be accepted.
 After this, it will be 500ms (1 second divided by the rate<br>
 of 2) before a packet will be accepted from this rule, regardless of
 how many packets reach it. Also, every 500ms which passes without
 matching a packet, one of the bursts will be regained; if no packets
 hit the rule for 2 second, the burst will be fully recharged; back
 where we started.<br>
        </li>
        <li>Multiple chains may now be displayed in one "shorewall
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
        <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
 href="UserSets.html">http://shorewall.net/UserSets.html</a>
 for details.<br>
          <br>
        </li>
      </ol>
      <p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
      <p>Thanks to Dave Kempe and Solutions First (<a
 href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
 there is now a Shorewall Mirror in Australia:</p>
      <p style="margin-left: 40px;"><a
 href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
 size="3"><br>
      <a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
      </p>
-      <p><b>8/26/2003 - French Version of the Shorewall Setup
+      <h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
-Guide&nbsp;</b></p>
+If so, the documentation<b> </b>on this site will not apply directly
 Thanks to Fabien <font size="3">Demassieux, there is now a <a
 href="shorewall_setup_guide_fr.htm">French translation of the
 Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
      </font>
      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b>&nbsp; <br>
      </b></p>
      <b>Problems Corrected since version 1.4.6:</b><br>
      <ol>
        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
 then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
 Control requires Mangle"; that problem has been corrected.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of
 the
 tcrules file. Previously, these addresses resulted in an invalid
 iptables
 command.</li>
        <li>The "shorewall stop" command is now disabled when
 /etc/shorewall/startup_disabled
 exists. This prevents people from shooting themselves in the foot prior
 to
-having configured Shorewall.</li>
+your setup. If you want to use the documentation that you find here,
-        <li>A change introduced in version 1.4.6 caused error messages
+you will want to consider uninstalling what you have and installing a
-during
+setup that matches the documentation on this site. See the <a
-"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
+ href="two-interface.htm">Two-interface QuickStart Guide</a> for
-being
+details.<br>
-added to a PPP interface; the addresses were successfully added in
+      <h2>News</h2>
-spite
+      <p><b>11/07/2003 - Shorewall 1.4.8</b><b> <img
-of the messages.<br>
+ style="border: 0px solid ; width: 28px; height: 12px;"
-&nbsp;&nbsp; <br>
+ src="images/new10.gif" alt="(New)" title=""></b><b><br>
-The firewall script has been modified to eliminate the error messages.<br>
+      <br>
      </b>Problems Corrected since version 1.4.7:<br>
      </p>
      <ol>
        <li>Tuomo Soini has supplied a correction to a problem that
 occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.</li>
        <li>Andres Zhoglo has supplied a correction that avoids trying
 to use the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
          <br>
        </li>
        <li>Previously, if the following error message was issued,
 Shorewall was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
          <br>
        </li>
        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
 been corrected.</li>
        <li>In Shorewall 1.4.2, an optimization was added. This
 optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
        <li>When the MARK value in a tcrules entry is followed by ":F"
 or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.</li>
        <li>An incorrect comment concerning Debian's use of the
 SUBSYSLOCK option has been removed from shorewall.conf.</li>
        <li>Previously, neither the 'routefilter' interface option nor
 the
 ROUTE_FILTER parameter were working properly. This has been corrected
 (thanks to Eric Bowles for his analysis and patch). The definition of
 the ROUTE_FILTER option has changed however. Previously,
 ROUTE_FILTER=Yes was documented as enabling route filtering on all
 interfaces (which didn't work). Beginning with this release, setting
 ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
 up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
 coexist with the use of the 'routefilter' option in the interfaces file.</li>
        <li>If MAC verification was enabled on an interface with a /32
 address and
 a broadcast address then an error would occur during startup.</li>
        <li>he NONE policy's intended use is to suppress the generating
 of
 rules that can't possibly be traversed. This means that a policy of
 NONE is inappropriate where the source or destination zone is $FW or
 "all". Shorewall now generates an error message if such a policy is
 given in /etc/shorewall/policy. Previously such a policy caused
 "shorewall start" to fail.</li>
        <li>The 'routeback' option was broken for wildcard interfaces
 (e.g.,
 "tun+"). This has been corrected so that 'routeback' now works as
 expected in this case.<br>
        </li>
      </ol>
 Migration Issues:<br>
      <ol>
        <li>The definition of the ROUTE_FILTER option in shorewall.conf
 has changed as described in item 8) above.<br>
        </li>
      </ol>
 New Features:<br>
      <ol>
        <li>A new QUEUE action has been introduced for rules. QUEUE
 allows
 you to pass connection requests to a user-space filter such as ftwall
 (http://p2pwall.sourceforge.net). The ftwall program
 allows for effective filtering of p2p applications such as Kazaa. For
 example, to use ftwall to filter P2P clients in the 'loc' zone, you
 would add the following rules:<br>
          <br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
          <br>
 You would normally want to place those three rules BEFORE any ACCEPT
 rules for loc-&gt;net udp or tcp.<br>
          <br>
 Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
        <li>A BLACKLISTNEWNONLY option has been added to
 shorewall.conf. When this option is set to "Yes", the blacklists
 (dynamic and static) are only consulted for new connection requests.
 When set to "No" (the default if the variable is not set), the
 blacklists are consulted on every packet.<br>
          <br>
 Setting this option to "No" allows blacklisting to stop existing
 connections from a newly blacklisted host but is more expensive in
 terms of packet processing time. This is especially true if the
 blacklists contain a large number of entries.</li>
        <li>Chain names used in the /etc/shorewall/accounting file may
 now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
      </ol>
      <p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
 bag awards </b><b><img
 style="border: 0px solid ; width: 50px; height: 80px;"
 src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
 1.4.7c released.</b> </p>
      <ol>
        <li>The saga with "&lt;zone&gt;_frwd" chains continues. The
 1.4.7c
 script produces a ruleset that should work for everyone even if it is
 not
 quite optimal. My apologies for this ongoing mess.<br>
        </li>
      </ol>
      <p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
      <p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
      </p>
      <ol>
        <li>The fix for problem 5 in 1.4.7a was wrong with the result
 that
 "&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
 is corrected in this release.<br>
        </li>
      </ol>
      <p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
      <p>This is a bugfix rollup of the following problem corrections:<br>
      </p>
      <ol>
        <li>Tuomo Soini has supplied a correction to a problem that
 occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.<br>
          <br>
        </li>
        <li>Andres Zhoglo has supplied a correction that avoids trying
 to use the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
          <br>
        </li>
        <li>Previously, if the following error message was issued,
 Shorewall was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through
 interface xxx<br>
          <br>
        </li>
        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
 been corrected.</li>
        <li>In Shorewall 1.4.2, an optimization was added. This
 optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
        <li>When the MARK value in a tcrules entry is followed by ":F"
 or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.<br>
        </li>
      </ol>
      <ol>
      </ol>
      <p><b></b></p>
      <ol>
@ -432,56 +310,33 @@ You can find their work at: <a
 href="http://leaf.sourceforge.net/devel/jnilo">
 http://leaf.sourceforge.net/devel/jnilo<br>
      </a></p>
-      <b>Congratulations to Jacques
+      <b>Congratulations to Jacques and Eric on the recent release of
-and Eric on the recent release of Bering 1.2!!! </b><br>
+Bering 1.2!!! <br>
      <h2><a name="Donations"></a>Donations</h2>
      </td>
      <td width="88" bgcolor="#3366ff" valign="top" align="center">
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
        <font color="#ffffff"><b>Note: </b></font></strong><font
 color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
        <strong></strong>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
        <font face="Arial" size="-1"> <input type="text" name="words"
 size="15"></font><font size="-1"> </font> <font face="Arial"
 size="-1"> <input type="hidden" name="format" value="long"> <input
 type="hidden" name="method" value="and"> <input type="hidden"
 name="config" value="htdig"> <input type="submit" value="Search"></font>
        </p>
        <font face="Arial"> <input type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
      <p><font color="#ffffff"><b><a
 href="http://lists.shorewall.net/htdig/search.html"><font
 color="#ffffff">Extended Search</font></a></b></font></p>
      <br>
      </b>
      <div style="text-align: center;">
      <div style="text-align: center;"><a
 href="http://www.shorewall.net" target="_top"><img
 src="images/ProtectedBy.png" title="" alt="(Protected by Shorewall)"
 style="border: 0px solid ; width: 216px; height: 45px;"></a></div>
      </div>
      <h2><a name="Donations"></a>Donations</h2>
      <p style="text-align: left;"><a href="http://www.starlight.org"> <img
 style="border: 4px solid ; width: 57px; height: 100px;"
 src="images/newlog.gif" align="left" hspace="10" alt="(Starlight Logo)"
 title=""></a><br>
      <big>Shorewall is free but if you try it and find it useful,
 please consider making a donation to <a href="http://www.starlight.org">Starlight
 Children's Foundation</a>. Thanks!</big><br>
      <a href="http://www.starlight.org"> </a></p>
      </td>
    </tr>
  </tbody>
 </table>
 </center>
 </div>
-<table border="0" cellpadding="5" cellspacing="0"
+<p><font size="2">Updated 11/13/2003 - <a href="support.htm">Tom Eastep</a></font>
 style="border-collapse: collapse;" width="100%" id="AutoNumber2"
 bgcolor="#3366ff">
  <tbody>
    <tr>
      <td width="100%" style="margin-top: 1px;" valign="middle">
      <p align="center"><a href="http://www.starlight.org"> <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10" alt="(Starlight Logo)"> </a></p>
      <p align="center"><font size="4" color="#ffffff"><br>
      <font size="+2"> Shorewall is free but if you try it and find it
 useful, please consider making a donation to <a
 href="http://www.starlight.org"><font color="#ffffff">Starlight
 Children's Foundation.</font></a> Thanks!</font></font></p>
      </td>
    </tr>
  </tbody>
 </table>
 <p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shoreline.htm
+++ b/Shorewall-docs/shoreline.htm
@ -9,18 +9,10 @@
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<p align="center"> </p>
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+<h1 style="text-align: center;">Tom Eastep<br>
- bgcolor="#3366ff" height="90">
+</h1>
-  <tbody>
+<p align="center"><img border="3" src="images/Tom.jpg"
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="center"> <img border="3" src="images/Tom.jpg"
 alt="Aging Geek - June 2003" width="320" height="240"> </p>
 <p align="center">"The Aging Geek" -- June 2003<br>
 <br>
--- a/Shorewall-docs/shorewall_extension_scripts.htm
+++ b/Shorewall-docs/shorewall_extension_scripts.htm
@ -1,118 +1,89 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Extension Scripts</title>
 </head>
-  <body>
+<body>
-       
+<h1 style="text-align: center;">Extension Scripts<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p>Extension scripts are user-provided scripts that are invoked at
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+various points during firewall start, restart, stop and clear. The
-                 <tbody>
+scripts are placed in /etc/shorewall and are processed using the Bourne
-        <tr>
+shell "source" mechanism.<br>
-                   <td width="100%">                      
+</p>
      <h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
                   </td>
                 </tr>
  </tbody>   
 </table>
 <p>  Extension scripts are   user-provided  scripts that are invoked at various 
 points during firewall   start, restart,  stop and clear. The scripts are 
 placed in /etc/shorewall and   are processed  using the Bourne shell "source" 
 mechanism.<br>
 </p>
 <p><font color="#ff0000"><b>Caution: <br>
-  </b></font></p>
+</b></font></p>
 <ol>
  <li><font color="#ff0000"><b>Be sure that you actually need to use an
-extension  script to do what you want. Shorewall has a wide range of features
+extension script to do what you want. Shorewall has a wide range of
 features
 that cover most requirements.</b></font></li>
-   <li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON 
+  <li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND
-THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
+ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT
- SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
+BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT
 YOU ARE
 DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
 </ol>
 <p>The following scripts can be supplied:</p>
 <ul>
-        <li>init -- invoked early in "shorewall start" and       "shorewall 
+  <li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
 restart"</li>
  <li>start -- invoked after the firewall has been started or restarted.</li>
-        <li>stop -- invoked as a first step when the firewall is being stopped.</li>
+  <li>stop -- invoked as a first step when the firewall is being
 stopped.</li>
  <li>stopped -- invoked after the firewall has been stopped.</li>
  <li>clear -- invoked after the firewall has been cleared.</li>
  <li>refresh -- invoked while the firewall is being refreshed but
 before the common and/or blacklst chains have been rebuilt.</li>
-        <li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' 
+  <li>newnotsyn (added in version 1.3.6) -- invoked after the
- chain     has been created but before any rules have been added to it.</li>
+'newnotsyn' chain has been created but before any rules have been added
-      
+to it.</li>
 </ul>
-         
+<p><u><b>If your version of Shorewall doesn't have the file that you
-<p><u><b>If your version of Shorewall doesn't have the file that you want 
+want to use from the above list, you can simply create the file
- to use from the above list, you can simply create the file yourself.</b></u></p>
+yourself.</b></u></p>
-      
+<p> You can also supply a script with the same name as any of the
-<p>   You can also supply a script with the same name as any of the filter 
+filter chains in the firewall and the script will be invoked after the
-   chains  in the firewall and the script will be invoked after the   /etc/shorewall/rules 
+/etc/shorewall/rules file has been processed but before the
-   file has been processed but before the   /etc/shorewall/policy file has 
+/etc/shorewall/policy file has been processed.</p>
- been  processed.</p>
+<p>The /etc/shorewall/common file receives special treatment. If this
-         
+file is present, the rules that it defines will totally replace the
-<p>The /etc/shorewall/common file receives special treatment. If this file 
+default rules in the common chain. These default rules are contained in
- is present, the rules that it       defines will totally replace the default 
+the file /etc/shorewall/common.def which may be used as a starting
- rules in the common chain. These         default rules are contained in the
+point for making your own customized file.</p>
 file /etc/shorewall/common.def which        may be used as a starting point
 for making your own customized file.</p>
 <p> Rather than running iptables directly, you should run it using the
-function  run_iptables. Similarly, rather than running "ip" directly, you
+function run_iptables. Similarly, rather than running "ip" directly,
- should use run_ip. These functions accept the same arguments as the  underlying
+you should use run_ip. These functions accept the same arguments as the
- command but cause the firewall to be stopped if an error occurs   during
+underlying command but cause the firewall to be stopped if an error
 occurs during
 processing of the command.</p>
 <p> If you decide to create /etc/shorewall/common it is a good idea to
 use the following technique</p>
 <p> /etc/shorewall/common:</p>
 <blockquote>
  <pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
-      </blockquote>
+</blockquote>
-      
+<p>If you need to supercede a rule in the released common.def file, you
-<p>If you need to supercede a rule in the released common.def file, you can 
+can add the superceding rule before the '.' command. Using this
- add   the superceding rule before the '.' command. Using this technique allows
+technique allows you to add new rules while still getting the benefit
-   you to add new rules while still getting the benefit of the latest common.def
+of the latest common.def file.</p>
-   file.</p>
+<p>Remember that /etc/shorewall/common defines rules that are only
-        
+applied if the applicable policy is DROP or REJECT. These rules are NOT
-<p>Remember that /etc/shorewall/common defines rules   that are only applied 
+applied if the policy is ACCEPT or CONTINUE<br>
- if the applicable policy is DROP or REJECT. These rules   are NOT applied 
+</p>
 if the policy is ACCEPT or CONTINUE<br>
  </p>
 <p> </p>
 <p align="left"><font size="2">Last updated 6/30/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
-      
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002, 2003 
+2003 Thomas M. Eastep</font></a></p>
- Thomas M. Eastep</font></a></p>
+<br>
-      <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_features.htm
+++ b/Shorewall-docs/shorewall_features.htm
@ -1,119 +1,98 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Features</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Shorewall Features<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
       <tbody>
        <tr>
         <td width="100%">       
      <h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
         </td>
       </tr>
  </tbody> 
 </table>
 <ul>
-       <li>Uses Netfilter's connection tracking facilities for stateful packet 
+  <li>Uses Netfilter's connection tracking facilities for stateful
-    filtering.</li>
+packet filtering.</li>
-       <li>Can be used in a <b> wide range of router/firewall/gateway applications</b>. 
+  <li>Can be used in a <b> wide range of router/firewall/gateway
-     
+applications</b>.
    <ul>
      <li>Completely customizable using configuration files.</li>
      <li>No limit on the number of network interfaces.</li>
      <li>Allows you to partitions the network into <i><a
 href="Documentation.htm#Zones">zones</a></i> and gives you complete
- control over the connections permitted between         each pair of zones.</li>
+control over the connections permitted between each pair of
 zones.</li>
      <li>Multiple interfaces per zone and multiple zones per interface
-        permitted.</li>
+permitted.</li>
      <li>Supports nested and overlapping zones.</li>
    </ul>
  </li>
-       <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a> 
+  <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
-to  help    get your first firewall up and running quickly</li>
+(HOWTOs)</a> to help get your first firewall up and running quickly</li>
  <li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
 href="http://www.webmin.com">http://www.webmin.com</a>)<br>
  </li>
  <li>Extensive <b> <a
- href="shorewall_quickstart_guide.htm#Documentation">documentation</a>  
+ href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
-    </b>   included in the .tgz and .rpm downloads.</li>
+included in the .tgz and .rpm downloads.</li>
  <li><b>Flexible address management/routing support</b> (and you can
 use all types in the same firewall):
    <ul>
      <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
      <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
-         <li><a href="Documentation.htm#NAT">     Static NAT</a>.</li>
+      <li><a href="Documentation.htm#NAT">One-to-one NAT</a>.</li>
      <li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
      <li>Simple host/subnet Routing</li>
    </ul>
  </li>
  <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
 individual IP addresses and subnetworks is supported.</li>
-       <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: 
+  <li><b><a href="starting_and_stopping_shorewall.htm">Operational
-     
+support</a></b>:
    <ul>
      <li>Commands to start, stop and clear the firewall</li>
      <li>Supports status monitoring with an audible
 alarm when an "interesting" packet is detected.</li>
      <li>Wide variety of informational commands.</li>
    </ul>
  </li>
  <li><b>VPN Support</b>
    <ul>
-         <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP     and 
+      <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,&nbsp; IPIP
 and
 OpenVPN Tunnels</a>.</li>
      <li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
    </ul>
  </li>
-       <li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a> 
+  <li>Support for <a href="traffic_shaping.htm"><b>Traffic
-      integration.</li>
+Control/Shaping</b></a> integration.</li>
  <li>Wide support for different <b>GNU/Linux Distributions</b>.
    <ul>
      <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
- href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a> 
+ href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian"><b>Debian</b></a>
-          packages available.</li>
+packages available.</li>
-         <li>Includes <a href="Install.htm"><b>automated install, upgrade, 
+      <li>Includes <a href="Install.htm"><b>automated install,
-fallback          and uninstall facilities</b></a> for users who can't use 
+upgrade, fallback and uninstall facilities</b></a> for users
-or choose  not         to use the RPM or Debian packages.</li>
+who can't use or choose not to use the RPM or Debian packages.</li>
      <li>Included as a standard part of<b> <a
 href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
- on a floppy, CD or compact flash).</li>
+on a floppy, CD or compact flash).</li>
    </ul>
  </li>
  <li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
-Address      <b>Verification</b><br>
+Address <b>Verification</b></a></li>
  <li><a href="Accounting.html">Traffic Accounting<br>
    </a><br>
  </li>
 </ul>
-  
+<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
-<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
-   </p>
+</p>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_firewall_structure.htm
+++ b/Shorewall-docs/shorewall_firewall_structure.htm
@ -1,332 +0,0 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Shorewall Firewall Structure</title>
 </head>
  <body>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
             <tbody>
        <tr>
               <td width="100%">                                       
      <h1 align="center"><font color="#ffffff">Firewall Structure (Under
 Construction)</font></h1>
               </td>
             </tr>
  </tbody>    
 </table>
 <p>  Shorewall views the network in which it is running as a set of     
 <i> zones. </i>Shorewall itself defines exactly   one zone called "fw" which
  refers to the firewall system itself . The   /etc/shorewall/zones file
 is   used to define additional zones and the example file   provided with
 Shorewall   defines the zones:</p>
 <ol>
             <li>  net -- the (untrusted) internet.</li>
             <li>  dmz - systems that must be accessible from       the internet
  and from the local network.  These systems cannot be trusted completely
 since  their servers may have been       compromised through a security exploit.</li>
             <li>  loc - systems in your local network(s).       These systems
  must be protected from the internet and from the DMZ and in       some
 cases,   from each other.</li>
 </ol>
 <p><b>Note: </b><a href="#Conf">You can specify the name of the firewall
 zone</a>.  For ease of description in this documentation, it is assumed 
 that the firewall zone is named "fw".</p>
 <p>It can't be stressed enough that  with the exception of the firewall zone,
  Shorewall itself attaches no meaning to  zone names. Zone names are simply
  labels used to refer to a collection of  network hosts.</p>
 <p>While zones are normally disjoint (no two zones have a host in common), 
   there are cases where nested or overlapping zone definitions are appropriate.</p>
 <p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose
 of this document, we will consider Netfilter to have three tables:</p>
 <ol>
     <li>Filter table -- this is the main table for packet filtering and
 can  be displayed with the command "shorewall show".</li>
     <li>Nat table -- used for all forms of Network Address Translation (NAT); 
 SNAT, DNAT and MASQUERADE.</li>
     <li>Mangle table -- used to modify fields in the packet header.<br>
     </li>
 </ol>
 <p>Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT, 
 FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables 
 as shown in this table.<br>
   </p>
 <div align="center">   
 <table cellpadding="2" cellspacing="2" border="1">
     <tbody>
       <tr>
         <td valign="top">CHAIN<br>
         </td>
         <td valign="top">Filter<br>
         </td>
         <td valign="top">Nat<br>
         </td>
         <td valign="top">Mangle<br>
         </td>
       </tr>
       <tr>
         <td valign="top">PREROUTING<br>
         </td>
         <td valign="top"><br>
         </td>
         <td valign="top">X<br>
         </td>
         <td valign="top">X<br>
         </td>
       </tr>
       <tr>
         <td valign="top">INPUT<br>
         </td>
         <td valign="top">X<br>
         </td>
         <td valign="top"><br>
         </td>
         <td valign="top">X<br>
         </td>
       </tr>
       <tr>
         <td valign="top">OUTPUT<br>
         </td>
         <td valign="top">X<br>
         </td>
         <td valign="top">X<br>
         </td>
         <td valign="top">X<br>
         </td>
       </tr>
       <tr>
         <td valign="top">FORWARD<br>
         </td>
         <td valign="top">X<br>
         </td>
         <td valign="top"><br>
         </td>
         <td valign="top">X<br>
         </td>
       </tr>
       <tr>
         <td valign="top">POSTROUTING<br>
         </td>
         <td valign="top"><br>
         </td>
         <td valign="top">X<br>
         </td>
         <td valign="top">X<br>
         </td>
       </tr>
  </tbody>   
 </table>
   </div>
 <p>Shorewall doesn't create rules in all of the builtin chains. In the large 
 diagram below are boxes such as  shown below.  This box represents in INPUT 
 chain and shows that packets first flow through the INPUT chain in the Mangle 
 table followed by the INPUT chain in the Filter table. The parentheses around 
 "Mangle" indicate that while the packets will flow through the INPUT chain 
 in the Mangle table, Shorewall does not create any rules in that chain.<br>
   </p>
 <div align="center"><img src="images/Legend.png" alt="(Box Legend)"
 width="145" height="97" align="middle">
   <br>
   </div>
 <p></p>
 <p>Here is a picture of how packets traverse the various chains and tables
  in Netfilter. In that diagram, "Local Process" refers to a process running
  on the Firewall itself (in the 'fw' zone).</p>
 <div align="center"><img src="images/Netfilter.png"
 alt="Netfilter Flow Diagram" width="541" height="767">
       </div>
 <p><br>
   <br>
   In the text that follows, the paragraph numbers correspond to the box
 number  in the diagram above.<br>
   </p>
 <ol>
     <li>Packets entering the firewall first pass through the <i>mangle </i>table's 
   PREROUTING chain (you can see the mangle table by typing "shorewall show 
   mangle"). If the packet entered through an interface that has the <b>norfc1918</b> 
   option and if iptables/netfilter doesn't support the connection tracking 
 match extension, then the packet is sent down the <b>man1918</b> chain which 
 will  drop  the packet if its destination IP address is reserved (as specified
 in the  /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
 pretos</b>  chain to set its TOS field as specified in the /etc/shorewall/tos
 file.  Finally, if traffic control/shaping is being used, the packet is
 sent  through  the<b> tcpre</b> chain to be marked for later use in policy
 routing  or traffic  control.<br>
       <br>
   Next, if the packet isn't part of an established connection, it passes 
  through the<i> nat</i> table's PREROUTING chain (you can see the nat table
  by  typing "shorewall show nat"). If you are doing both static nat and
 port  forwarding, the order in which chains are traversed is dependent on
 the  setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is
 on then  packets will ender a chain called<b> <i>interface_</i>in</b> where
    <i>interface</i>  is  the name of the interface on which the packet entered.
 Here it's destination  IP  is compared to each of the <i>EXTERNAL</i> IP
 addresses from /etc/shorewall/nat   that correspond to this interface; if
 there is a match, DNAT is applied  and the  packet header is modified to
 the IP in the <i>INTERNAL</i> column  of the nat  file record. If the destination
 address doesn't match any of the rules in the  <b><i>interface_</i>in</b>
 chain then the packet enters a chain  called <b><i>sourcezone</i>_dnat</b>
 where <i>sourcezone</i> is the source zone of the packet. There it is compared
 for a match against each of the DNAT records in the rules file that specify
    <i>  sourcezone     </i>as the source  zone. If a match is found, the
 destination IP  address (and possibly the destination port) is modified based
 on the rule  matched. If NAT_BEFORE_RULES is off, then the order of traversal
 of the <b><i>  interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b>  is
 reversed.<br>
       <br>
     </li>
     <li>Depending on whether the packet is destined for the firewall itself 
 or for another system, it follows either the left or the right path. Traffic 
 going to the firewall goes through chain called INPUT in the mangle table. 
 Shorewall doesn't add any rules to that chain.<br>
     <br>
   </li>
   <li>Traffic that is to be forwarded to another host goes through the chains 
 called FORWARD in the mangle table. If MARK_IN_FORWARD=Yes in shorewall.conf, 
 all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are 
 processed in a chain called <br>
     <br>
   </li>
  <ol>
  </ol>
     <li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
  table  (called 'filter'). If the traffic is destined for the  firewall
 itself,   the name of the interface chain is formed by appending "_in" to
 the interface   name. So traffic on eth0 destined for the firewall will
 enter a  chain called       <i>eth0_in</i>. The interface chain for traffic
 that will be routed to  another  system is formed by appending "_fwd" to
 the interface name. So traffic  from  eth1 that is going to be forwarded
 enters a chain called<i> eth1_fwd</i>.    Interfaces described with the wild-card
 character ("+") in  /etc/shorewall/interfaces,  share input chains. if <i>ppp+
    </i>appears in  /etc/shorewall/interfaces then all PPP interfaces (ppp0,
 ppp1, ...) will share  the interface chains <i>ppp_in</i>  and <i>ppp_fwd</i>.
 In other words, "+" is  deleted from the name before forming the input chain
 names.<br>
     <br>
 While the use of interfacechains may seem wasteful in simple environments,
  in  complex setups it substantially reduces the number of rules that each
  packet  must traverse.  </li>
 </ol>
 <p>  Traffic directed from a zone to the firewall itself is sent through
 a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from 
  the   internet and addressed to the firewall is sent through a chain named 
  net2fw.   Similarly, traffic originating in the firewall and being sent 
 to  a host in a   given zone is sent through a chain named fw2<i>&lt;zone 
 name&gt;.        </i>For   example, traffic originating in the firewall and 
 destined  for a host in the   local network is sent through a chain named 
 <i>fw2loc.</i>        <font face="Century Gothic, Arial, Helvetica">   </font></p>
 <p>  Traffic being forwarded between two zones (or from one interface to
 a zone to another interface to that zone) is sent through a chain named <i> 
  &lt;source   zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example, 
  traffic   originating in a local system and destined for a remote web server 
  is   sent through chain       <i>loc2net. </i>This chain is referred to 
 as the <i>canonical</i>    chain from &lt;source zone&gt; to &lt;destination 
  zone&gt;. Any destination NAT will have occurred <u>before</u>   the packet 
  traverses one of these chains so rules in /etc/shorewall/rules   should 
 be  expressed in terms of the destination system's real IP address as   opposed 
  to its apparent external address. Similarly, source NAT will occur <u>after</u> 
      the packet has traversed the appropriate forwarding chain so the rules 
  again   will be expressed using the source system's real IP address.</p>
 <p>  For each record in the /etc/shorewall/policy file, a chain is   created.
  Policies in that file are expressed in terms of a source zone and   destination
  zone where these zones may be a zone defined in   /etc/shorewall/zones,
 "fw"  or "all". Policies specifying   the pseudo-zone "all" matches all defined
  zones and "fw".   These chains are referred to as <i>Policy Chains.</i> Notice
  that for an   ordered pair of zones (za,zb), the canonical chain (za2zb)
 may also be the    policy chain for the pair or the policy chain may be
 a  different chain   (za2all, for example). Packets from one zone to another
 will traverse chains    as follows:</p>
 <ol>
             <li>  If the canonical chain exists, packets first traverse
 that   chain.</li>
             <li>  If the canonical chain and policy chain are different
 and   the packet    does not match a rule in the canonical chain, it then
 is sent   to the      policy chain.</li>
             <li>  If the canonical chain does not exist, packets are sent
 immediately    to the policy chain.</li>
 </ol>
 <p>  The canonical chain from zone za to zone zb will be created only if
 there are   exception rules defined in /etc/shorewall/rules for packets going
 from za to   zb.</p>
 <p>  Shorewall is built on top of the Netfilter kernel facility. Netfilter 
  implements connection tracking function that allow what is often referred 
  to   as "statefull inspection" of packets. This statefull property allows 
    firewall rules to be defined in terms of "connections" rather than   in
  terms of "packets". With Shorewall, you:</p>
 <ol>
             <li>  Identify the client's zone.</li>
             <li>  Identify the server's zone.</li>
             <li>  If the POLICY from the client's zone to the server's zone
  is what you     want for this client/server pair, you need do nothing further.</li>
             <li>  If the POLICY is not what you want, then you must add
 a  rule.  That rule       is expressed in terms of the client's zone and
 the  server's  zone.</li>
 </ol>
 <p>  Just because connections of a particular type are allowed between zone
  A   and the firewall and are also allowed between the firewall and zone
 B  <font color="#ff6633"><b><u>   DOES   NOT mean that these connections
 are  allowed between zone A and zone  B</u></b></font>.   It rather means
 that  you can have a proxy running on the firewall that accepts   a connection
 from zone A and then establishes its own separate connection from   the
 firewall   to zone B.</p>
 <p>  If you adopt the default policy of ACCEPT from the local zone to the
    internet zone and you are having problems connecting from a local client
  to an   internet server, <font color="#ff6633"><b><u> adding a rule won't
  help</u></b></font>     (see point 3 above).</p>
 <p><font size="2">Last modified 5/22/2003 - <a href="support.htm">Tom Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
  © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
    <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_logging.html
+++ b/Shorewall-docs/shorewall_logging.html
@ -7,18 +7,37 @@
  <meta name="author" content="Tom Eastep">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Logging</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<h2>How to Log Traffic through a Shorewall Firewall</h2>
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+The disposition of packets entering a Shorewall firewall&nbsp; is
-  <tbody>
+determined by one of a number of Shorewall facilities. Only some of
-    <tr>
+these facilities permit logging.<br>
-      <td width="100%">
+<ol>
-      <h1 align="center"><font color="#ffffff">Logging</font></h1>
+  <li>The packet is part of an established connection. The packet is
-      </td>
+accepted and cannot be logged.</li>
-    </tr>
+  <li>The packet represents a connection request that is related to an
-  </tbody>
+established connection (such as a <a href="FTP.html">data connection
-</table>
+associated with an FTP control connection</a>).&nbsp; These packets
-<br>
+also cannot be logged.</li>
  <li>The packet is rejected because of an option in <a
 href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> or <a
 href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
 These packets can be logged by setting the appropriate logging-related
 option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
  <li>The packet matches a rule in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.
 By including a syslog level (see below) in the ACTION column of a rule
 (e.g., "ACCEPT<span
 style="font-weight: bold; text-decoration: underline;">:info</span>
 net fw tcp 22"), the connection attempt will be logged at that level.</li>
  <li>The packet doesn't match a rule so is handled by a policy defined
 in <a href="Documentation.htm#Policy">/etc/shorewall/policy</a>. These
 may be logged by specifying a syslog level in the LOG LEVEL column of
 the policy entry (e.g., "loc net ACCEPT <span
 style="font-weight: bold; text-decoration: underline;">info</span>"<br>
  </li>
 </ol>
 <h2>Where the Traffic is logged and how to Change the Destination<br>
 </h2>
 By default, Shorewall directs NetFilter to log using syslog (8). Syslog
 classifies log messages by a <i>facility</i> and a <i>priority</i>
 (using the notation <i>facility.priority</i>). <br>
@ -149,7 +168,8 @@ and
 <a
 href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
 is a post describing configuring syslog-ng to work with Shorewall.<br>
-<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
+<p><font size="2"> Updated 10/30/2003 - <a href="support.htm">Tom
 Eastep</a>
 </font></p>
 <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
 size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
--- a/Shorewall-docs/shorewall_mirrors.htm
+++ b/Shorewall-docs/shorewall_mirrors.htm
@ -9,20 +9,12 @@
  <title>Shorewall Mirrors</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall Mirrors<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="left"><b>Remember that updates to the mirrors are often
 delayed for 6-12 hours after an update to the primary rsync site. For
-HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
+HTML content, the main web site (<a href="http://shorewall.sf.net"
 target="_top">http://shorewall.sf.net</a>)
 is updated at the same time as the rsync site.</b></p>
 <p align="left">The main Shorewall Web Site is <a
 href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
@ -67,6 +59,9 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
  <li> <a target="_blank"
 href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
 (Paris, France)</li>
  <li><a href="ftp://ftp.syachile.cl/pub/shorewall" target="_top">ftp://ftp.syachile.cl/pub/shorewall
    </a>(Santiago Chile)<br>
  </li>
  <li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
 (Taipei, Taiwan)</li>
  <li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
@ -78,7 +73,7 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
 </ul>
 Search results and the mailing list archives are always fetched from
 the site in Washington State.<br>
-<p align="left"><font size="2">Last Updated 8/27/2003 - <a
+<p align="left"><font size="2">Last Updated 11/14/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
--- a/Shorewall-docs/shorewall_prerequisites.htm
+++ b/Shorewall-docs/shorewall_prerequisites.htm
@ -1,86 +1,57 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Shorewall Prerequisites</title>
 </head>
-  <body>
+<body>
-        
+<h1 style="text-align: center;">Shorewall Requirements</h1>
-<table border="0" cellpadding="0" cellspacing="0"
+Shorewall Requires:<br>
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber1" bgcolor="#3366ff" height="90">
           <tbody>
            <tr>
             <td width="100%">                            
      <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
             </td>
           </tr>
  </tbody>    
 </table>
          <br>
      Shorewall Requires:<br>
 <ul>
  <li>A kernel that supports netfilter. I've tested with 2.4.2 -
-2.4.20.  With current releases of Shorewall, Traffic Shaping/Control requires 
+2.4.23-rc2. With current releases of Shorewall, Traffic
-at least  2.4.18.        <a href="kernel.htm">     Check here for kernel configuration
+Shaping/Control
-       information.</a>       If you are looking for a firewall for use with
+requires at least 2.4.18.&nbsp; <a href="kernel.htm"> Check here for
- 2.2 kernels, <a href="http://seawall.sf.net">     see       the Seattle
+kernel configuration information.</a> If you are looking for a firewall
 for use with 2.2 kernels, <a href="http://seawall.sf.net"> see the
 Seattle
 Firewall site</a> .</li>
-           <li>iptables 1.2 or later  but beware version 1.2.3 -- see the 
+  <li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
-    <a href="errata.htm">Errata</a>.   <font color="#ff0000"><b>WARNING: 
+ href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
-   </b></font>The    buggy iptables version 1.2.3    is included in RedHat 
+buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
-7.2 and you should   upgrade to iptables 1.2.4 prior to    installing Shorewall. 
+upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
-Version 1.2.4   is available   <a
+is available <a
- href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
+ href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from
-      and in the <a href="errata.htm">Shorewall Errata</a>.   </li>
+RedHat</a> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
-           <li>Iproute ("ip" utility). The iproute package  is     included 
+  <li>Iproute ("ip" utility). The iproute package is included with most
- with most distributions but may not be installed by default.  The     official
+distributions but may not be installed by default. The official
-  download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
+download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
 target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
  </li>
-           <li>A Bourne shell or derivative such as bash or ash. This shell 
+  <li>A Bourne shell or derivative such as bash or ash. This shell must
- must  have correct       support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
+have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
-       },        ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
+}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
-        } and       ${<i>variable</i>##<i>pattern</i>}.</li>
+} and ${<i>variable</i>##<i>pattern</i>}.</li>
-    <li>Your shell must produce a sensible result when a number n (128 &lt;= 
+  <li>Your shell must produce a sensible result when a number n (128
-n &lt;= 255)  is left shifted by 24 bits. You can check this at a shell prompt 
+&lt;= n &lt;= 255) is left shifted by 24 bits. You can check this at a
-by:</li>
+shell prompt by:</li>
  <ul>
    <li>echo $((128 &lt;&lt; 24))<br>
    </li>
    <li>The result must be either 2147483648 or -2147483648.<br>
    </li>
  </ul>
-           <li>The firewall monitoring display is greatly improved if you 
+  <li>The firewall monitoring display is greatly improved if you have
-have   awk        (gawk) installed.</li>
+awk (gawk) installed.</li>
 </ul>
-        
+<p align="left"><font size="2">Last updated 11/20/2003 - <a
 <p align="left"><font size="2">Last updated 7/8/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
- size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
+ size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
-          <br>
+Eastep.</font></a></font></p>
        <br>
       <br>
      <br>
     <br>
    <br>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/shorewall_quickstart_guide.htm
+++ b/Shorewall-docs/shorewall_quickstart_guide.htm
@ -10,22 +10,10 @@
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall QuickStart Guides (HOWTOs)<br>
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+</h1>
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall QuickStart
 Guides (HOWTO's)<br>
      </font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="center">With thanks to Richard who reminded me once again
-that we
+that we must all first walk before we can run.<br>
 must all first walk before we can run.<br>
 The French Translations of the single-IP guides are courtesy of Patrice
 Vetsel<br>
 The French Translation of the Shorewall Setup Guide is courtesy of
@ -51,15 +39,16 @@ acting as a firewall/router for a small local network and a DMZ. (<a
 running quickly in the three most common Shorewall configurations. If
 you want to learn more about Shorewall than is explained in the above
 simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
-Setup Guide</a> (See Index Below) is for you.</p>
+Setup
 Guide</a> (See Index Below) is for you.</p>
 </blockquote>
 <p>If you have <font color="#ff0000"><big><big><b>more than one public
 IP address</b></big></big></font>:<br>
 </p>
 <blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
 Guide</a> (See Index Below) outlines the steps necessary to set up a
-firewall where there are multiple public IP
+firewall where there are multiple public IP addresses involved or if
-addresses involved or if you
+you
 want to learn more about Shorewall than is explained in the
 single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
 Française</a>).</blockquote>
@ -79,13 +68,11 @@ Interfaces (e.g., eth0:0)</a><br>
  <li><a href="blacklisting_support.htm">Blacklisting</a>
    <ul>
      <li>Static Blacklisting using /etc/shorewall/blacklist</li>
-      <li>Dynamic Blacklisting using
+      <li>Dynamic Blacklisting using /sbin/shorewall</li>
 /sbin/shorewall</li>
    </ul>
  </li>
  <li><a href="starting_and_stopping_shorewall.htm">Commands</a>
-(Description of
+(Description of all /sbin/shorewall commands)</li>
 all /sbin/shorewall commands)</li>
  <li><a href="configuration_file_basics.htm">Common configuration file
 features</a>&nbsp;</li>
  <ul>
@ -143,13 +130,16 @@ in Shorewall</a> </li>
  <li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
 Scripts</a></font> (How to extend Shorewall without modifying Shorewall
 code through the use of files in /etc/shorewall --
-/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
+/etc/shorewall/start,
 /etc/shorewall/stopped, etc.)</li>
  <li><a href="fallback.htm">Fallback/Uninstall</a></li>
  <li><a href="FAQ.htm">FAQs</a><br>
  </li>
  <li><a href="shorewall_features.htm">Features</a><br>
  </li>
-  <li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
+  <li><a href="Multiple_Zones.html">Forwarding Traffic on the Same
 Interface</a><br>
  </li>
  <li><a href="FTP.html">FTP and Shorewall</a><br>
  </li>
  <li><a href="support.htm">Getting help or answers to questions</a></li>
@ -158,16 +148,25 @@ code through the use of files in /etc/shorewall --
    <li><a href="GSLUG.htm">HTML</a></li>
    <li><a href="GSLUG.ppt">PowerPoint</a></li>
  </ul>
-  <li><a href="Install.htm">Installation/Upgrade</a><br>
+  <li><a href="Install.htm">Installation/Upgrade</a></li>
  <li><a href="IPSEC.htm">IPSEC</a></li>
  <li><a href="Shorewall_and_Kazaa.html">Kazaa Filtering</a><br>
  </li>
  <li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
  <li><a href="shorewall_logging.html">Logging</a><br>
  </li>
  <li><a href="MAC_Validation.html">MAC Verification</a></li>
-  <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
+  <li><a href="http://lists.shorewall.net">Mailing Lists</a></li>
  <li><a href="Multiple_Zones.html">Multiple Zones Through One Interface</a><br>
  </li>
  <li><a href="NetfilterOverview.html">Netfilter Overview</a><br>
  </li>
  <li><a href="myfiles.htm">My Shorewall Configuration (How I
 personally use Shorewall)</a></li>
  <li><font color="#000099"><a href="NAT.htm">One-to-one NAT (Formerly
 referred to as <span style="font-style: italic;">Static NAT</span>)<br>
    </a></font></li>
  <li><a href="OPENVPN.html">OpenVPN</a></li>
  <li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
  </li>
  <li><a href="ping.html">'Ping' Management</a><br>
@ -178,8 +177,8 @@ personally use Shorewall)</a></li>
      <li>Ports used by Trojans</li>
    </ul>
  </li>
-  <li><a href="ProxyARP.htm">Proxy
+  <li><a href="PPTP.htm">PPTP</a></li>
-ARP</a></li>
+  <li><a href="ProxyARP.htm">Proxy ARP</a></li>
  <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
  </li>
  <li><a href="samba.htm">Samba</a></li>
@ -197,8 +196,7 @@ Subnets and Routing</a>
      <ul>
        <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
 Addresses</a></li>
-        <li><a href="shorewall_setup_guide.htm#Subnets">4.2
+        <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
 Subnets</a></li>
        <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
        <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
 Resolution Protocol (ARP)</a></li>
@ -219,7 +217,8 @@ Network</a>
            <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
            <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
 Proxy ARP</a></li>
-            <li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
+            <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
 One-to-one NAT</a></li>
          </ul>
        </li>
        <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
@ -235,14 +234,11 @@ Starting and Stopping the Firewall</a></li>
 href="starting_and_stopping_shorewall.htm">Starting/stopping the
 Firewall</a></font></li>
  <ul>
-    <li>Description of all /sbin/shorewall
+    <li>Description of all /sbin/shorewall commands</li>
 commands</li>
    <li>How to safely test a Shorewall configuration change<br>
    </li>
  </ul>
-  <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
+  <li><a href="Shorewall_Squid_Usage.html">Squid with Shorewall</a></li>
  <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
 with Shorewall</a></li>
  <li><a href="Accounting.html">Traffic Accounting</a><br>
  </li>
  <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
@ -255,14 +251,14 @@ doesn't work)</a></li>
  <li>VPN
    <ul>
      <li><a href="IPSEC.htm">IPSEC</a></li>
-      <li><a href="IPIP.htm">GRE and
+      <li><a href="IPIP.htm">GRE and IPIP</a></li>
 IPIP</a></li>
      <li><a href="OPENVPN.html">OpenVPN</a><br>
      </li>
      <li><a href="PPTP.htm">PPTP</a></li>
      <li><a href="6to4.htm">6t04</a><br>
      </li>
-      <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
+      <li><a href="VPN.htm">IPSEC/PPTP</a> passthrough from a system
 behind your
 firewall to a remote network.</li>
      <li><a href="GenericTunnels.html">Other VPN types</a>.<br>
      </li>
@ -272,7 +268,7 @@ firewall to a remote network.</li>
 </ul>
 <p>If you use one of these guides and have a suggestion for improvement
 <a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
-<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
+<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
 Eastep</a></font></p>
 <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
 M. Eastep</font></a><br>
--- a/Shorewall-docs/shorewall_setup_guide.htm
+++ b/Shorewall-docs/shorewall_setup_guide.htm
@ -10,18 +10,8 @@
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Shorewall Setup Guide<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber1" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Setup Guide</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <br>
 <p><a href="#Introduction">1.0 Introduction</a><br>
 <a href="#Concepts">2.0 Shorewall Concepts</a><br>
 <a href="#Interfaces">3.0 Network Interfaces</a><br>
@ -41,7 +31,7 @@
    <p><a href="#SNAT">5.2.1 SNAT</a><br>
    <a href="#DNAT">5.2.2 DNAT</a><br>
    <a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
-    <a href="#NAT">5.2.4 Static NAT</a></p>
+    <a href="#NAT">5.2.4 One-to-one NAT</a></p>
  </blockquote>
  <p><a href="#Rules">5.3 Rules</a><br>
  <a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
@ -929,7 +919,15 @@ a VPN relationship. </p>
 <div align="left">
 <p align="left">So it's a good idea to check with your ISP to see if
 they are using (or are planning to use) private addresses before you
-decide the addresses that you are going to use.</p>
+decide the addresses that you are going to use.<br>
 </p>
 <p align="left"><span style="font-weight: bold;">NOTE: In this
 document, external "real" IP addresses are of the form 192.0.2.x.
 192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
 printed examples. These addresses are not to be confused with addresses
 in 192.168.0.0/16; as described above, these addresses are reserved by
 RFC 1918 for private use.</span><br>
 </p>
 </div>
 <div align="left">
 <h2 align="left"><a name="Options"></a>5.0 Setting up your Network</h2>
@ -1077,7 +1075,7 @@ also known as <i>Port Forwarding.</i> </p>
  </li>
  <li>
    <p align="left"><i>Network Address Translation</i> (NAT) also
-referred to as <i>Static NAT</i>. </p>
+referred to as <i>One-to-one NAT</i>. </p>
  </li>
 </ul>
 </div>
@ -1230,12 +1228,13 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask <b>(M)
    <p align="left">When <b>H</b> issues an ARP "who has" request for
 an address in the subnetwork defined by <b>A</b> and <b>M</b>, the
 firewall will
-respond (with the MAC if the firewall interface to <b>H</b>). </p>
+respond (with the MAC if the firewall interface) to <b>H</b>. </p>
  </li>
 </ul>
 </div>
 <div align="left">
-<p align="left">Let suppose that we decide to use Proxy ARP on the DMZ
+<p align="left">Let us suppose that we decide to use Proxy ARP on the
 DMZ
 in our example network.</p>
 </div>
 <div align="left">
@ -1323,7 +1322,7 @@ accordingly."<br>
    <br>
 Which is, of course, exactly what you want to do when you switch a host
 from being exposed to the Internet to behind Shorewall using proxy ARP
-(or static NAT for that matter). Happily enough, recent versions
+(or one-to-one NAT for that matter). Happily enough, recent versions
 of Redhat's iputils package include "arping", whose "-U" flag does just
 that:<br>
    <br>
@ -1371,10 +1370,10 @@ words, the gateway's ARP cache still associates 192.0.2.177 with
 the NIC in DMZ 1 rather than with the firewall's eth0.</p>
 </div>
 <div align="left">
-<h4 align="left"><a name="NAT"></a>5.2.4 Static NAT</h4>
+<h4 align="left"><a name="NAT"></a>5.2.4 One-to-one NAT</h4>
 </div>
 <div align="left">
-<p align="left">With static NAT, you assign local systems RFC 1918
+<p align="left">With one-to-one NAT, you assign local systems RFC 1918
 addresses then establish a one-to-one mapping between those addresses
 and
 public IP addresses. For outgoing connections SNAT (Source Network
@ -1486,7 +1485,7 @@ daughter's web server -- you would rather just use an ACCEPT rule:</p>
 <p align="left">A word of warning is in order here. ISPs typically
 configure their routers with a long ARP cache timeout. If you move a
 system from parallel to your firewall to behind your firewall with
-static NAT, it will probably be HOURS before that system can
+one-to-one NAT, it will probably be HOURS before that system can
 communicate
 with the internet. There are a couple of things that you can try:<br>
 </p>
@ -1506,7 +1505,7 @@ accordingly."<br>
    <br>
 Which is, of course, exactly what you want to do when you switch a host
 from being exposed to the Internet to behind Shorewall using proxy ARP
-(or static NAT for that matter). Happily enough, recent versions
+(or one-to-one NAT for that matter). Happily enough, recent versions
 of Redhat's iputils package include "arping", whose "-U" flag does just
 that:<br>
    <br>
@ -2367,7 +2366,7 @@ create an <i><a href="Documentation.htm#Configs">alternate
 configuration</a></i> and test it using the <a
 href="Documentation.htm#Starting">"shorewall try" command</a>.</p>
 </div>
-<p align="left"><font size="2">Last updated 7/6/2003 - <a
+<p align="left"><font size="2">Last updated 11/18/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a><br>
--- a/Shorewall-docs/shorewall_setup_guide_fr.htm
+++ b/Shorewall-docs/shorewall_setup_guide_fr.htm
--- a/Shorewall-docs/sourceforge_index.htm
+++ b/Shorewall-docs/sourceforge_index.htm
@ -7,18 +7,6 @@
  <base target="_self">
 </head>
 <body>
 <table border="0" cellpadding="0" cellspacing="4"
 style="border-collapse: collapse;" width="100%" id="AutoNumber3"
 bgcolor="#3366ff">
  <tbody>
    <tr>
      <td width="33%" height="90" valign="middle" align="center"><a
 href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
 alt="(Shorewall Logo)" width="430" height="90"> <br>
      </td>
    </tr>
  </tbody>
 </table>
 <div align="center">
 <center>
 <table border="0" cellpadding="0" cellspacing="0"
@ -26,6 +14,15 @@
  <tbody>
    <tr>
      <td width="90%">
      <h2>Site Problem</h2>
 The server that normally hosts www.shorewall.net and ftp.shorewall.net
 is currently down. Until it is back up, a small server with very
 limited bandwidth is being used temporarly. You will likely experience
 better response time from the <a
 href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
 or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
 Sorry for the inconvenience.<br>
      <br>
      <h2>Introduction<br>
      </h2>
      <ul>
@ -37,14 +34,12 @@ and control that facility. Netfilter can be used in ipchains
 compatibility mode.<br>
        </li>
        <li>iptables - the utility program used to configure and
-control
+control Netfilter. The term 'iptables' is often used to refer to the
-Netfilter. The term 'iptables' is often used to refer to the
+combination of iptables+Netfilter (with Netfilter not in ipchains
-combination of iptables+Netfilter (with Netfilter not in
+compatibility mode).<br>
 ipchains compatibility mode).<br>
        </li>
      </ul>
-The
+The Shoreline Firewall, more commonly known as "Shorewall", is
 Shoreline Firewall, more commonly known as "Shorewall", is
 high-level tool for configuring Netfilter. You describe your
 firewall/gateway requirements using entries in a set of configuration
 files. Shorewall reads those configuration files and with the help of
@ -56,14 +51,14 @@ and can thus take advantage of Netfilter's connection state tracking
 capabilities.
      <p>This program is free software; you can redistribute it and/or
 modify it under the terms of <a
- href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
+ href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
-GNU General Public License</a> as published by the Free Software
+General Public License</a> as published by the Free Software Foundation.<br>
 Foundation.<br>
      <br>
 This program is distributed in the hope that it will be useful, but
 WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-General Public License for more details.<br>
+General
 Public License for more details.<br>
      <br>
 You should have received a copy of the GNU General Public License along
 with this program; if not, write to the Free Software Foundation, Inc.,
@ -81,356 +76,205 @@ Shorewall. For older versions:<br>
        </li>
      </ul>
      <h2>Getting Started with Shorewall</h2>
-New to Shorewall? Start by
+New to Shorewall? Start by selecting the <a
-selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
+ href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
-that most closely match your environment and
+closely match your environment and follow the step by step instructions.<br>
 follow the step by step instructions.<br>
      <h2>Looking for Information?</h2>
 The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
-Index</a> is a good place to start as is the Quick Search to your
+Index</a> is a good place to start as is the Quick Search in the frame
-right.
+above.
      <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
 If so, the documentation<b> </b>on this site will not apply directly
-to your setup. If you want to
+to
-use the documentation that you find here, you will want to consider
+your setup. If you want to use the documentation that you find here,
-uninstalling what you have and installing a setup that matches the
+you will want to consider uninstalling what you have and installing a
-documentation on this site. See the <a href="two-interface.htm">Two-interface
+setup that matches the documentation on this site. See the <a
-QuickStart Guide</a> for
+ href="two-interface.htm">Two-interface QuickStart Guide</a> for
 details.
      <h2></h2>
      <h2><b>News</b></h2>
-      <b>10/06/2003 - Shorewall 1.4.7</b><b> <img
+      <p><b>11/01/2003 - Shorewall 1.4.8 RC2</b><b> <img
 style="border: 0px solid ; width: 28px; height: 12px;"
- src="images/new10.gif" alt="(New)" title=""></b><br>
+ src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b><b>
      <b><br>
 Problems Corrected since version 1.4.6 (Those in bold font
 were corrected since 1.4.7 RC2).</b><br>
      <ol>
        <li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
 variable was being tested before it was set.</li>
        <li>Corrected handling of MAC addresses in the SOURCE column of
 the tcrules file. Previously, these addresses resulted in an invalid
 iptables command.</li>
        <li>The "shorewall stop" command is now disabled when
 /etc/shorewall/startup_disabled exists. This prevents people from
 shooting themselves in the foot prior to having configured Shorewall.</li>
        <li>A change introduced in version 1.4.6 caused error messages
 during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
 were being added to a PPP interface; the addresses were successfully
 added in spite of the messages.<br>
 &nbsp;&nbsp;&nbsp; <br>
 The firewall script has been modified to eliminate the error messages</li>
        <li>Interface-specific dynamic blacklisting chains are
 now displayed by "shorewall monitor" on the "Dynamic Chains" page
 (previously named "Dynamic Chain").</li>
        <li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
        <li value="7">The 'shorewall reject'
 and
 'shorewall drop' commands now delete any existing rules for the subject
 IP address before adding a new DROP or REJECT rule. Previously, there
 could be many rules for the same IP address in the dynamic chain so
 that multiple 'allow' commands were required to re-enable traffic
 to/from the address.</li>
        <li>When ADD_SNAT_ALIASES=Yes in
 shorewall.conf, the following entry in /etc/shorewall/masq resulted in
 a startup error:<br>
 &nbsp;<br>
 &nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
 206.124.146.20-206.124.146.24<br>
          <br>
        </li>
        <li>Shorewall previously choked over
 IPV6
 addresses configured on interfaces in contexts where Shorewall needed
 to detect something about the interface (such as when "detect" appears
 in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
        <li>Shorewall will now load
 module files that are formed from the module name by appending ".o.gz".</li>
        <li>When Shorewall adds a route to a
 proxy
 ARP host and such a route already exists, two routes resulted
 previously. This has been corrected so that the existing route is
 replaced if it already exists.</li>
        <li>The rfc1918 file has been
 updated to reflect recent allocations.</li>
        <li>The documentation of the
 USER SET column in the rules file has been corrected.</li>
        <li>If there is no policy
 defined for
 the zones specified in a rule, the firewall script previously
 encountered a shell syntax error:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 Now, the absence of a policy generates an error message and the
 firewall is stopped:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
 &lt;source&gt; to zone &lt;dest&gt;<br>
          <br>
        </li>
        <li>Previously, if neither
 /etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
 would fail to start and would not remove the lock file. Failure to
 remove the lock file resulted in the following during subsequent
 attempts to start:<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
          <br>
 &nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
 &nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
 &nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
 &nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
 &nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
          <br>
 Shorewall now reports a fatal error if neither of these two files exist
 and correctly removes the lock fille.</li>
        <li>The order of processing
 the
 various options has been changed such that blacklist entries now take
 precedence over the 'dhcp' interface setting.</li>
        <li>The log message generated
 from the
 'logunclean' interface option has been changed to reflect a disposition
 of LOG rather than DROP.</li>
        <li><span style="font-weight: bold;">When a user name and/or a
 group
 name was specified in the USER SET column and the destination zone was
 qualified with a IP address, the user and/or group name was not being
 used to qualify the rule.<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp; Example:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
          <br>
          </span></li>
        <li><span style="font-weight: bold;">The /etc/shorewall/masq
 file has had the spurious "/" character at the front removed.</span></li>
      </ol>
      <b>Migration Issues:</b><br>
      <ol>
        <li>Shorewall IP Traffic Accounting has changed since snapshot
 20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
 details.</li>
        <li>The Uset Set capability introduced in SnapShot 20030821 has
 changed -- see the <a href="UserSets.html">User Set page</a> for
 details.</li>
        <li>The
 per-interface Dynamic Blacklisting facility introduced in the first
 post-1.4.6 Snapshot has been removed. The facility had too many
 idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
        </li>
      </ol>
      <b></b><b>New Features:</b><br>
      <ol>
        <li>Shorewall now creates a dynamic blacklisting chain for each
 interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
 commands use the routing table to determine which of these chains is to
 be used for blacklisting the specified IP address(es).<br>
          <br>
 Two new commands ('dropall' and 'rejectall') have been introduced that
 do what 'drop' and 'reject' used to do; namely, when an address is
 blacklisted using these new commands, it will be blacklisted on all of
 your firewall's interfaces.</li>
        <li>Thanks to Steve Herber, the 'help' command can now give
 command-specific help (e.g., shorewall help &lt;command&gt;).</li>
        <li>A new option "ADMINISABSENTMINDED" has been added to
 /etc/shorewall/shorewall.conf. This option has a default value of "No"
 for existing users which causes Shorewall's 'stopped' state &nbsp;to
 continue as it has been; namely, in the stopped state only traffic
 to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
          <br>
 With ADMINISABSENTMINDED=Yes (the default for new installs), in
 addition to traffic to/from the hosts listed in
 /etc/shorewall/routestopped, Shorewall will allow:<br>
          <br>
 &nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
 &nbsp;&nbsp; b) All traffic that is part of or related to an
 already-existing connection.<br>
          <br>
 &nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
 entered through an ssh session will not kill the session.<br>
          <br>
 &nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
 possible for people to shoot themselves in the foot.<br>
          <br>
 &nbsp;Example:<br>
          <br>
 &nbsp;/etc/shorewall/nat:<br>
          <br>
 &nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
 eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
          <br>
 &nbsp;/etc/shorewall/rules:<br>
          <br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
 loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
 &nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
          <br>
 From a remote system, I ssh to 206.124.146.178 which establishes an SSH
 connection with local system 192.168.1.5. I then create a second SSH
 connection
 from that computer to the firewall and confidently type "shorewall
 stop".
 As part of its stop processing, Shorewall removes eth0:0 which kills my
 SSH
 connection to 192.168.1.5!!!</li>
        <li>Given the wide range of VPN software, I can never hope to
 add specific support for all of it. I have therefore decided to add
 "generic" tunnel support.<br>
 &nbsp;<br>
 Generic tunnels work pretty much like any of the other tunnel types.
 You usually add a zone to represent the systems at the other end of the
 tunnel and you add the appropriate rules/policies to<br>
 implement your security policy regarding traffic to/from those systems.<br>
 &nbsp;<br>
 In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
          <br>
 generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
 address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
 &nbsp;<br>
 where:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
 used by the tunnel<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
 is 'udp' or 'tcp' then this is the destination port number used by the
 tunnel.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
 the remote tunnel gateway<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
 address of the remote tunnel gateway.<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
 Optional. A comma-separated list of zone names. If specified, the
 remote gateway is to be considered part of these zones.</li>
        <li>An 'arp_filter' option has been added to the
 /etc/shorewall/interfaces file. This option causes
 /proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
 result that this interface will only answer ARP 'who-has' requests from
 hosts that are routed out through that interface. Setting this option
 facilitates testing of your firewall where multiple firewall interfaces
 are connected to the same HUB/Switch (all interfaces connected to the
 single HUB/Switch should have this option specified). Note that using
 such a configuration in a production environment is strongly
 recommended against.</li>
        <li>The ADDRESS column in /etc/shorewall/masq may now include a
 comma-separated list of addresses and/or address ranges. Netfilter will
 use all listed addresses/ranges in round-robin fashion. \</li>
        <li>An /etc/shorewall/accounting file has been added to allow
 for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
 documentation</a> for a description of this facility.</li>
        <li>Bridge interfaces (br[0-9]) may now be used in
 /etc/shorewall/maclist.</li>
        <li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
 /etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
 rules, rate limiting occurs in the nat table DNAT rule; the
 corresponding ACCEPT rule in the filter table is not rate limited. If
 you want to limit the filter table rule, you will need o create two
 rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
 separately.<br>
 &nbsp;<br>
          <span style="font-weight: bold;">Warning: </span>When rate
 limiting is specified on a rule with "all" in the SOURCE or DEST
 fields, the limit will apply to each pair of zones individually rather
 than as a single limit for all pairs of covered by the rule.<br>
 &nbsp;<br>
 To specify a rate limit, <br>
          <br>
 a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
 &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
 &nbsp;<br>
 &nbsp;
 where<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
 &lt;interval&gt;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
 accepted within an &lt;interval&gt;. If not given, the default of 5 is
 assumed.<br>
 &nbsp;<br>
 There may be no white space between the ACTION and "&lt;" nor there may
 be any white space within the burst specification. If you want to
 specify logging of a rate-limited rule, the ":" and log level comes
 after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
          <br>
 b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
 file. You may specify the rate limit there in the format:<br>
          <br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 &lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
 &nbsp;<br>
 Let's take an example:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
 tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
 &nbsp;&nbsp;&nbsp; <br>
 The first time this rule is reached, the packet will be accepted; in
 fact, since the burst is 4, the first four packets will be accepted.
 After this, it will be 500ms (1 second divided by the rate<br>
 of 2) before a packet will be accepted from this rule, regardless of
 how many packets reach it. Also, every 500ms which passes without
 matching a packet, one of the bursts will be regained; if no packets
 hit the rule for 2 second, the burst will be fully recharged; back
 where we started.<br>
        </li>
        <li>Multiple chains may now be displayed in one "shorewall
 show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
        <li>Output rules (those with $FW as the SOURCE) may now be
 limited to a set of local users and/or groups. See <a
 href="UserSets.html">http://shorewall.net/UserSets.html</a> for
 details.</li>
      </ol>
      <p><b>8/27/2003 - Shorewall Mirror in Australia&nbsp;</b></p>
      <p>Thanks to Dave Kempe and Solutions First (<a
 href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
 there is now a Shorewall Mirror in Australia:</p>
      <div style="margin-left: 40px;"><a
 href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
      <font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
      <p><b>8/26/2003 - French Version of the Shorewall Setup
 Guide&nbsp;</b></p>
 Thanks to Fabien <font size="3">Demassieux, there is now a <a
 href="shorewall_setup_guide_fr.htm">French translation of the
 Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
 - Shorewall 1.4.7 Beta 2</b><b> <img
 style="border: 0px solid ; width: 28px; height: 12px;"
 src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
      <p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
 style="border: 0px solid ; width: 28px; height: 12px;"
 src="images/new10.gif" alt="(New)" title=""> <br>
      </b></p>
-      <b>Problems Corrected since version 1.4.6:</b><br>
+Given the small number of new features and the relatively few lines of
 code that were changed, there will be no Beta for 1.4.8.<br>
      <p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
      <a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
      <br>
      </b>Problems Corrected since version 1.4.7:<br>
      </p>
      <ol>
-        <li>Previously, if TC_ENABLED is set to yes in shorewall.conf
+        <li>Tuomo Soini has supplied a correction to a problem that
-then Shorewall would fail to start with the error "ERROR: &nbsp;Traffic
+occurs
-Control requires Mangle"; that problem has been corrected.</li>
+using some versions of 'ash'. The symptom is that "shorewall start"
-        <li>Corrected handling of MAC addresses in the SOURCE column of
+fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.</li>
        <li>Andres Zhoglo has supplied a correction that avoids trying
 to use the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
          <br>
        </li>
        <li>Previously, if the following error message was issued,
 Shorewall was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
          <br>
        </li>
        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
 been corrected.</li>
        <li>In Shorewall 1.4.2, an optimization was added. This
 optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
        <li>When the MARK value in a tcrules entry is followed by ":F"
 or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.</li>
        <li>An incorrect comment concerning Debian's use of the
 SUBSYSLOCK option has been removed from shorewall.conf.</li>
        <li>Previously, neither the 'routefilter' interface option nor
 the
-tcrules file. Previously, these addresses resulted in an invalid
+ROUTE_FILTER parameter were working properly. This has been corrected
-iptables
+(thanks to Eric Bowles for his analysis and patch). The definition of
-command.</li>
+the ROUTE_FILTER option has changed however. Previously,
-        <li>The "shorewall stop" command is now disabled when
+ROUTE_FILTER=Yes was documented as enabling route filtering on all
-/etc/shorewall/startup_disabled
+interfaces (which didn't work). Beginning with this release, setting
-exists. This prevents people from shooting themselves in the foot prior
+ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
-to
+up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
-having configured Shorewall.</li>
+coexist with the use of the 'routefilter' option in the interfaces file.</li>
-        <li>A change introduced in version 1.4.6 caused error messages
+        <li>If MAC verification was enabled on an interface with a /32
-during
+address and
-"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
+a broadcast address then an error would occur during startup.</li>
-being
+      </ol>
-added to a PPP interface; the addresses were successfully added in
+Migration Issues:<br>
-spite
+      <ol>
-of the messages.<br>
+        <li>The definition of the ROUTE_FILTER option in shorewall.conf
-&nbsp;&nbsp; <br>
+has changed as described in item 8) above.<br>
-The firewall script has been modified to eliminate the error messages.</li>
+        </li>
      </ol>
 New Features:<br>
      <ol>
        <li>A new QUEUE action has been introduced for rules. QUEUE
 allows
 you to pass connection requests to a user-space filter such as ftwall
 (http://p2pwall.sourceforge.net). The ftwall program
 allows for effective filtering of p2p applications such as Kazaa. For
 example, to use ftwall to filter P2P clients in the 'loc' zone, you
 would add the following rules:<br>
          <br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
 &nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
 &nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
          <br>
 You would normally want to place those three rules BEFORE any ACCEPT
 rules for loc-&gt;net udp or tcp.<br>
          <br>
 Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
 Shorewall will only pass connection requests (SYN packets) to user
 space. This is for compatibility with ftwall.</li>
        <li>A
 BLACKLISTNEWNONLY option has been added to shorewall.conf. When this
 option is set to "Yes", the blacklists (dynamic and static) are only
 consulted for new connection requests. When set to "No" (the default if
 the variable is not set), the blacklists are consulted on every packet.<br>
          <br>
 Setting this option to "No" allows blacklisting to stop existing
 connections from a newly blacklisted host but is more expensive in
 terms of packet processing time. This is especially true if the
 blacklists contain a large number of entries.</li>
        <li>Chain names used in the /etc/shorewall/accounting file may
 now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
      </ol>
      <p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
 bag awards </b><b><img
 style="border: 0px solid ; width: 50px; height: 80px;"
 src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
 1.4.7c released.</b> </p>
      <ol>
        <li>The saga with "&lt;zone&gt;_frwd" chains continues. The
 1.4.7c script
 produces a ruleset that should work for everyone even if it is not
 quite optimal. My apologies for this ongoing mess.</li>
      </ol>
      <p><b>10/24/2003 - Shorewall 1.4.7b</b><b> <img
 style="border: 0px solid ; width: 28px; height: 12px;"
 src="images/new10.gif" alt="(New)" title=""></b></p>
      <p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
      </p>
      <ol>
        <li>The fix for problem 5 in 1.4.7a was wrong with the result
 that
 "&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
 is corrected in this release.<br>
        </li>
      </ol>
      <p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
      <p>This is a bugfix rollup of the following problem corrections:<br>
      </p>
      <ol>
        <li>Tuomo Soini has supplied a correction to a problem that
 occurs
 using some versions of 'ash'. The symptom is that "shorewall start"
 fails with:<br>
 &nbsp;<br>
 &nbsp;&nbsp; local: --limit: bad variable name<br>
 &nbsp;&nbsp; iptables v1.2.8: Couldn't load match
 `-j':/lib/iptables/libipt_-j.so:<br>
 &nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
 &nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
 information.<br>
          <br>
        </li>
        <li>Andres Zhoglo has supplied a correction that avoids trying
 to use the multiport match iptables facility on ICMP rules.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Example of rule that previously caused "shorewall start"
 to fail:<br>
 &nbsp;<br>
 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
 icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
          <br>
        </li>
        <li>Previously, if the following error message was issued,
 Shorewall was left in an inconsistent state.<br>
 &nbsp;<br>
 &nbsp;&nbsp; Error: Unable to determine the routes through
 interface xxx<br>
          <br>
        </li>
        <li>Handling of the LOGUNCLEAN option in shorewall.conf has
 been corrected.</li>
        <li>In Shorewall 1.4.2, an optimization was added. This
 optimization
 involved creating a chain named "&lt;zone&gt;_frwd" for most zones
 defined using the /etc/shorewall/hosts file. It has since been
 discovered that in many cases these new chains contain redundant rules
 and that the "optimization" turns out to be less than optimal. The
 implementation has now been corrected.</li>
        <li>When the MARK value in a tcrules entry is followed by ":F"
 or
 ":P", the ":F" or ":P" was previously only applied to the first
 Netfilter rule generated by the entry. It is now applied to all entries.</li>
      </ol>
      <p><b><a href="News.htm">More News</a></b></p>
      <b> </b>
@ -453,44 +297,22 @@ Bering 1.2!!! </b><br>
      <h4><b> </b></h4>
      <b> </b>
      <h2><b>This site is hosted by the generous folks at <a
- href="http://www.sf.net">SourceForge.net</a> </b></h2>
+ href="http://www.sf.net">SourceForge.net</a></b></h2>
-      <b> </b>
+      <br>
      <br>
      <h2><b><a name="Donations"></a>Donations</b></h2>
      <b> </b></td>
      <td width="88" bgcolor="#3366ff" valign="top" align="center">
      <form method="post"
 action="http://lists.shorewall.net/cgi-bin/htsearch">
        <p><strong><br>
        <font color="#ffffff"><b>Note: </b></font></strong> <font
 color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
 &nbsp;</p>
        <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
        <font face="Arial" size="-1"> <input type="text" name="words"
 size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
        <input type="hidden" name="format" value="long"> <input
 type="hidden" name="method" value="and"> <input type="hidden"
 name="config" value="htdig"> <input type="submit" value="Search"></font>
        </p>
        <font face="Arial"> <input type="hidden" name="exclude"
 value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
      <p><font color="#ffffff"><b> <a
 href="http://lists.shorewall.net/htdig/search.html"> <font
 color="#ffffff">Extended Search</font></a></b></font></p>
      <a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
 target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
 color="#ffffff"><small><small><small></small></small></small></font></a><br>
      </td>
    </tr>
  </tbody>
 </table>
 </center>
 </div>
 <table border="0" cellpadding="5" cellspacing="0"
- style="border-collapse: collapse;" width="100%" id="AutoNumber2"
+ style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
- bgcolor="#3366ff">
+ id="AutoNumber2">
  <tbody>
    <tr>
-      <td width="100%" style="margin-top: 1px;">
+      <td style="width: 100%; margin-top: 1px;">
      <p align="center"><a href="http://www.starlight.org"> <img
 border="4" src="images/newlog.gif" width="57" height="100" align="left"
 hspace="10"> </a></p>
@ -503,7 +325,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
    </tr>
  </tbody>
 </table>
-<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
+<p><font size="2">Updated 11/17/2003 - <a href="support.htm">Tom Eastep</a></font>
 <br>
 </p>
 </body>
--- a/Shorewall-docs/standalone.htm
+++ b/Shorewall-docs/standalone.htm
@ -9,17 +9,8 @@
  <title>Standalone Firewall</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Standalone Firewall<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber6" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="left">Setting up Shorewall on a standalone Linux system is
 very easy if you understand the basics and follow the documentation.</p>
 <p>This guide doesn't attempt to acquaint you with all of the features
@ -113,7 +104,9 @@ first checked against the /etc/shorewall/rules file. If no rule in that
 file matches the connection request then the first policy in
 /etc/shorewall/policy that matches the request is applied. If that
 policy is REJECT or DROP&nbsp; the request is first checked against the
-rules in /etc/shorewall/common (the samples provide that file for you).</p>
+rules in /etc/shorewall/common if that file exists; otherwise the rules
 in /etc/shorewall/common.def are checked.<br>
 </p>
 <p>The /etc/shorewall/policy file included with the one-interface
 sample
 has the following policies:</p>
@ -365,9 +358,15 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
 Also, I don't recommend using "shorewall restart"; it is better to
 create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
- href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
 </p>
 <h2>Additional Recommended Reading</h2>
 I highly recommend that you review the <a
 href="configuration_file_basics.htm">Common Configuration File
 Features page</a> -- it contains helpful tips about Shorewall features
 than make administering your firewall easier.<br>
 </div>
-<p align="left"><font size="2">Last updated 2/08/2003 - <a
+<p align="left"><font size="2">Last updated 11/15/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a></p>
--- a/Shorewall-docs/standalone_fr.html
+++ b/Shorewall-docs/standalone_fr.html
@ -1,113 +1,94 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Standalone Firewall</title>
 </head>
-  <body>
+<body>
-     
+<h1 style="text-align: center;">Standalone Firewall</h1>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" bordercolor="#111111" width="100%"
 id="AutoNumber6" bgcolor="#3366ff" height="90">
     <tbody>
       <tr>
         <td width="100%">                     
      <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
         </td>
       </tr>
  </tbody>   
 </table>
 <h2 align="center">Version 2.0.1 Française</h2>
 <p align="left"><small><i><u>Notes du traducteur</u> :<br>
-   Je ne prétends pas être un vrai traducteur dans le sens ou mon travail 
+Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
-n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une 
+n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
-traduction exacte du texte, mais plutôt à en faire une version française intelligible
+une traduction exacte du texte, mais plutôt à en faire une version
-par tous (et par moi). Les termes techniques sont la plupart du temps conservés
+française intelligible
-sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
+par tous (et par moi). Les termes techniques sont la plupart du temps
-dans le reste des documentations ainsi que dans les fichiers de configuration.
+conservés
 sous leur forme originale et mis entre parenthèses car vous pouvez les
 retrouver
 dans le reste des documentations ainsi que dans les fichiers de
 configuration.
 N?hésitez pas à me contacter afin d?améliorer ce document <a
- href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
+ href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
-pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
+JMM
 pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
 pour
 son formidable outil et sa disponibilité)</i><i>.</i></small></p>
-     
+<p align="left">Mettre en place un système Linux en tant que firewall
-<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
+(écluse) pour un petit réseau est une chose assez simple, si vous
- pour un petit réseau est une chose assez simple, si vous comprenez les bases
+comprenez les bases et suivez la documentation.</p>
- et suivez la documentation.</p>
+<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
-     
+Il
-<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
+se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
-se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
+son
 utilisation la plus courante :</p>
 <ul>
  <li>Un système Linux</li>
  <li>Une seule adresse IP externe</li>
-     <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
+  <li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
- rtc...</li>
+Relay, rtc...</li>
 </ul>
-     
+<p>Ce guide suppose que vous avez le paquet iproute/iproute2
-<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
+d'installé.
-Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
+Vous pouvez voir si le paquet est installé en vérifiant la présence du
- ip sur votre système de firewall. Sous root, utilisez la commande 'which'
+programme ip sur votre système de firewall. Sous root, utilisez la
- pour rechercher le programme :</p>
+commande 'which' pour rechercher le programme :</p>
 <pre>     [root@gateway root]# which ip<br>     /sbin/ip<br>     [root@gateway root]#</pre>
-     
+<p>Je vous recommande dans un premier temps de parcourir tout le guide
-<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
+pour vous familiariser avec ce qu'il va se passer, et de revenir au
- vous familiariser avec ce qu'il va se passer, et de revenir au début en
+début en
-effectuant  le changements dans votre configuration. Les points, où les changements
+effectuant le changements dans votre configuration. Les points, où les
 changements
 dans la configuration sont recommandées, sont signalés par une <img
- border="0" src="images/BD21298_.gif" width="13" height="13">
+ border="0" src="images/BD21298_.gif" width="13" height="13"> .</p>
-   .</p>
+<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
-     
+vous éditez vos fichiers de configuration sur un système Windows, vous
-<p><img border="0" src="images/j0213519.gif" width="60" height="60">
+devez les sauver comme des fichiers Unix si votre éditeur supporte
-   Si vous éditez vos fichiers de configuration sur un système Windows, vous 
+cette option sinon vous devez les faire passer par dos2unix avant
- devez les sauver comme des fichiers Unix si votre éditeur supporte cette 
+d'essayer de les
-option sinon vous devez les faire passer par dos2unix avant d'essayer de les
+utiliser. De la même manière, si vous copiez un fichier de
-utiliser. De la même manière, si vous copiez un fichier de configuration depuis
+configuration depuis
-votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
+votre disque dur Windows vers une disquette, vous devez lancer dos2unix
 sur
 la copie avant de l'utiliser avec Shorewall.</p>
 <ul>
  <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
- of    dos2unix</a></li>
+of dos2unix</a></li>
  <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
 Version of dos2unix</a></li>
 </ul>
 <h2 align="left">Les Concepts de Shorewall</h2>
 <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
- alt="">
+ alt=""> Les fichiers de configuration pour Shorewall sont situés dans
-   Les fichiers de configuration pour Shorewall sont situés dans le répertoire
+le répertoire /etc/shorewall -- pour de simples paramétrages, vous
-  /etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
+n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
- quelques un d'entre eux comme décris dans ce guide. Après avoir <a
+guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
- href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
+le <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
- href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface  sample</a>, 
+sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
-un-tarez le  (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall 
+fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
- (Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall 
+déjà existant dans /etc/shorewall installés lors de l'installation de
-installés lors de l'installation de Shorewall)</b>.</p>
+Shorewall)</b>.</p>
-     
+<p>Parallèlement à la description, je vous suggère de jeter un oeil à
-<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
+ceux physiquement présents sur votre système -- chacun des fichiers
- physiquement présents sur votre système -- chacun des fichiers contient
+contient
 des instructions de configuration détaillées et des entrées par défaut.</p>
-     
+<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
-<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
+de <i>zones.</i> Dans les fichiers de configuration fournis pour une
- <i>zones.</i> Dans les fichiers de configuration fournis pour une unique
+unique
 interface, une seule zone est définie :</p>
 <table border="0" style="border-collapse: collapse;" cellpadding="3"
 cellspacing="0" id="AutoNumber2">
  <tbody>
@ -119,39 +100,35 @@ interface, une seule zone est d
      <td><b>net</b></td>
      <td><b>The Internet</b></td>
    </tr>
  </tbody>
 </table>
 <p>Les zones de Shorewall sont définies dans <a
 href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
-     
+<p>Shorewall reconnaît aussi le système de firewall comme sa propre
-<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
+zone
 - par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
-     
+<p>Les règles concernant le trafic à autoriser ou à interdire sont
-<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
+exprimées en utilisant les termes de zones.</p>
 en utilisant les termes de zones.</p>
 <ul>
  <li>Vous exprimez les politiques par défaut pour les connexions d'une
-zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
+zone à une autre dans le fichier<a href="Documentation.htm#Policy">
-     </a>.</li>
+/etc/shorewall/policy </a>.</li>
-     <li>Vous définissez les exceptions à ces règles de politiques par défaut
+  <li>Vous définissez les exceptions à ces règles de politiques par
- dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
+défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
 </ul>
-     
+<p>Pour chacune des demandes de connexion entrantes dans le firewall,
-<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
+les demandes sont en premier lieu comparées par rapport au fichier
- demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
+/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
- Si aucune des règles dans ce fichier ne correspondent, alors la première
+correspondent, alors la première
-politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
+politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
-politique est REJECT ou DROP la requête est alors comparée par rapport aux
+cette
-règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
+politique est REJECT ou DROP la requête est alors comparée par rapport
 aux
 règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
 fournit
 ce fichier).</p>
-     
+<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
-<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
+one-interface a les politiques suivantes :</p>
 a les politiques suivantes :</p>
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
 id="AutoNumber3">
@ -189,95 +166,81 @@ ce fichier).</p>
        <td> <br>
        </td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
 <pre>  </pre>
-   Ces politiques vont :   
+Ces politiques vont :
 <ol>
-     <li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
+  <li>permettre toutes demandes de connexion depuis le firewall vers
 l'Internet</li>
  <li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
 vers votre firewall</li>
-     <li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
+  <li>rejeter toutes les autres requêtes de connexion (Shorewall à
- de cette politique).</li>
+besoin de cette politique).</li>
 </ol>
-     
+<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
-<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
+changements que vous désirez.</p>
 que vous désirez.</p>
 <h2 align="left">Interface Externe</h2>
-     
+<p align="left">Le firewall possède une seule interface réseau. Lorsque
-<p align="left">Le firewall possède une seule interface réseau. Lorsque la
+la connexion Internet passe par un modem câble ou par un routeur ADSL
- connexion Internet passe par un modem câble ou par un routeur ADSL (pas
+(pas
-un  simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
+un simple modem), l'<i>External Interface</i> (interface externe) sera
- ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
+l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u>
- par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
+vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
- (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP) 
+over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
- dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
+dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
- par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>. 
+connectez par un simple modem (RTC), votre interface externe sera aussi
- Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
+<b>ppp0</b>. Si vous vous connectez en utilisant l'ISDN (numéris),
- sera<b> ippp0.</b></p>
+votre interface externe sera<b> ippp0.</b></p>
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
- height="13">
+ height="13"> L'exemple de configuration de Shorewall pour une
-   L'exemple de configuration de Shorewall pour une interface suppose que 
+interface suppose que votre interface externe est <b>eth0</b>. Si
-votre interface externe est <b>eth0</b>.  Si votre configuration est différente,
+votre configuration est différente, vous devrez modifier le fichier
- vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
+d'exemple /etc/shorewall/interfaces en conséquence. Puisque vous y
-  Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
+êtes, vous pourriez parcourir la liste d'options qui sont spécifiées
- spécifiées pour l'interface. Quelques astuces :</p>
+pour l'interface. Quelques astuces :</p>
 <ul>
  <li>
    <p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
- vous pouvez remplacer le    "detect" dans la seconde colonne par un "-".
+vous pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
     </p>
  </li>
  <li>
    <p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
- ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
+ou bien si vous avez une adresse IP statique, vous pouvez enlever le
- de la liste d'option. </p>
+"dhcp" de la liste d'option. </p>
  </li>
 </ul>
 <div align="left">
 <h2 align="left">Adresse IP</h2>
-   </div>
+</div>
 <div align="left">
-<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
+<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
 privée
 (<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
 <div align="left">
 <pre>     10.0.0.0    - 10.255.255.255<br>     172.16.0.0  - 172.31.255.255<br>     192.168.0.0 - 192.168.255.255</pre>
-   </div>
+</div>
 <p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
- car les routeurs sur les backbones Internet ne font pas passer les paquets
+car les routeurs sur les backbones Internet ne font pas passer les
- dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
+paquets dont les adresses de destinations sont définies dans la RFC
- cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
+1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
- le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
+ces adresses et utilisent le <i>Network Address Translation </i>afin
- lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
+de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
-     
+ou vers l'Internet.</p>
 <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
- width="13" height="13">
+ width="13" height="13"> Avant de lancer Shorewall, vous devriez
-   Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
+regarder l'adresse de votre interface externe et si elle est comprise
- externe et si elle est comprise dans une des plages précédentes, vous devriez
+dans une des plages précédentes, vous devriez enlever l'option
- enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
+'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
-   </div>
+</div>
 <div align="left">
 <h2 align="left">Permettre d'autres connexions</h2>
-   </div>
+</div>
 <div align="left">
-<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
+<p align="left">Si vous désirez autoriser d'autres connexions depuis
- vers votre   firewall, le format général est :</p>
+l'Internet vers votre firewall, le format général est :</p>
-   </div>
+</div>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -303,17 +266,15 @@ votre interface externe est <b>eth0</b>.  Si votre configuration est diff
        <td> <br>
        </td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-   </div>
+</div>
 <div align="left">
-<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
+<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
 un
 serveur POP3 sur votre système de firewall :</p>
-   </div>
+</div>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -350,24 +311,22 @@ serveur POP3 sur votre syst
        <td> <br>
        </td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-   </div>
+</div>
 <div align="left">
-<p align="left">Si vous ne savez pas quel port ou protocole une application
+<p align="left">Si vous ne savez pas quel port ou protocole une
- particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
+application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
-   </div>
+</div>
 <div align="left">
-<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
+<p align="left"><b>Important: </b>Je ne vous recommande pas
- telnet depuis ou vers l'Internet car il utilise du texte en clair (même
+d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
-pour  le login et le mot de passe !). Si vous voulez avoir un accès au shell
+en clair (même
 pour le login et le mot de passe !). Si vous voulez avoir un accès au
 shell
 de votre firewall depuis Internet, utilisez SSH :</p>
-   </div>
+</div>
 <div align="left">
 <blockquote>
  <table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -393,79 +352,75 @@ de  votre firewall depuis Internet, utilisez SSH :</p>
        <td> <br>
        </td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-   </div>
+</div>
 <div align="left">
 <pre>     ACCEPT	net	fw	tcp	22</pre>
-   </div>
+</div>
 <div align="left">
 <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
- height="13">
+ height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter les
-   A ce point, éditez    /etc/shorewall/rules pour rajouter les autres connexions
+autres connexions désirées.</p>
- désirées.</p>
+</div>
   </div>
 <div align="left">
 <h2 align="left">Lancer et Arrêter son Firewall</h2>
-   </div>
+</div>
 <div align="left">
 <p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
- height="13" alt="Arrow">
+ height="13" alt="Arrow"> La <a href="Install.htm">procédure
-   La <a href="Install.htm">procédure d'installation </a> configure votre 
+d'installation </a> configure votre système pour lancer Shorewall au
-système pour lancer Shorewall au boot du système, mais au début avec la version 
+boot du système, mais au début avec la version 1.3.9 de Shorewall le
-1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
+lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
- avec que la configuration soit finie. Une fois que vous en aurez fini avec
+configuration soit finie. Une fois que vous en aurez fini avec la
- la configuration du firewall, vous pouvez permettre le lancement de Shorewall
+configuration du firewall, vous pouvez permettre le lancement de
- en supprimant le fichier /etc/shorewall/startup_disabled.<br>
+Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
-   </p>
+</p>
-     
+<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
-<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
+utilisateurs
-des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
+des paquets .deb doivent éditer /etc/default/shorewall et mettre
-   </p>
+'startup=1'.</font><br>
-   </div>
+</p>
-     
+</div>
 <div align="left">
-<p align="left">Le firewall est activé en utilisant la commande "shorewall
+<p align="left">Le firewall est activé en utilisant la commande
- start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
+"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
 est stoppé,
 le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
- href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
+ href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
- firewall qui tourne peut être relancé en utilisant la commande "shorewall
+Un firewall qui tourne peut être relancé en utilisant la commande
- restart".   Si vous voulez enlever toutes traces de Shorewall sur votre
+"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
 sur votre
 configuration de Netfilter, utilisez "shorewall clear".</p>
-   </div>
+</div>
 <div align="left">
-<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
+<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
-depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
+firewall
-n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
+depuis Internet, n'essayez pas une commande "shorewall stop" tant que
 vous
 n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de
 laquelle
 vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
-  De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
+De la même manière, je ne vous recommande pas d'utiliser "shorewall
- il est plus intéressant de créer une <i><a
+restart"; il est plus intéressant de créer une <i><a
 href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
- et de la tester en utilisant la commande <a
+et de la tester en utilisant la commande <a
 href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
-   </div>
+</div>
 <p align="left"><font size="2">Last updated 12/9/2002 - <a
 href="support.htm">Tom Eastep</a></font></p>
-     
+<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
-<p align="left"><a href="copyright.htm"><font size="2">Copyright  2002 Thomas
+Thomas M. Eastep</font></a></p>
- M. Eastep</font></a></p>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/starting_and_stopping_shorewall.htm
+++ b/Shorewall-docs/starting_and_stopping_shorewall.htm
@ -9,19 +9,12 @@
  <title>Starting and Stopping Shorewall</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<div style="text-align: center;">
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<h1>Starting/Stopping and Monitoring the Firewall<br>
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+</h1>
-  <tbody>
+</div>
-    <tr>
+<p><br>
-      <td width="100%">
+If you have a permanent internet connection such as DSL or Cable, I
      <h1 align="center"><font color="#ffffff">Starting/Stopping and
 Monitoring the Firewall</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p> If you have a permanent internet connection such as DSL or Cable, I
 recommend that you start the firewall automatically at boot. Once you
 have installed "firewall" in your init.d directory, simply type
 "chkconfig --add firewall". This will start the firewall in run levels
@ -44,7 +37,7 @@ restart" in that script.</li>
 <p> </p>
 <p> You can manually start and stop Shoreline Firewall using the
 "shorewall" shell program. Please refer to the <a
- href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
+ href="starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
 State Diagram</a> is shown at the bottom of this page. </p>
 <ul>
  <li>shorewall start - starts the firewall</li>
--- a/Shorewall-docs/support.htm
+++ b/Shorewall-docs/support.htm
@ -7,19 +7,11 @@
  <title>Shorewall Support Guide</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+Support Guide <font><font color="#ffffff"><img
- bgcolor="#3366ff" height="90">
+ src="images/obrasinf.gif" alt=""
-  <tbody>
+ style="width: 90px; height: 90px; color: rgb(51, 0, 51);"
-    <tr>
+ align="middle" title=""></font></font></h1>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
 src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
      </font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h2>Before Reporting a Problem or Asking a Question<br>
 </h2>
 There are a number of sources of Shorewall information. Please try
@ -29,15 +21,15 @@ these before you post.
  </li>
  <li>More than half of the questions posted on the support list have
 answers directly accessible from the <a
- href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
+ href="shorewall_quickstart_guide.htm#Documentation">Documentation
 Index</a><br>
  </li>
-  <li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
+  <li> The <a href="FAQ.htm">FAQ</a> has
 solutions to more than 20 common problems. </li>
-  <li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
+  <li> The <a href="troubleshoot.htm">Troubleshooting</a>
 Information contains a number of tips
 to help you solve common problems. </li>
-  <li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
+  <li> The <a href="errata.htm"> Errata</a>
 has links to download updated components. </li>
  <li> The Site and Mailing List Archives search facility can locate
 documents and posts about similar problems: </li>
@ -98,6 +90,13 @@ error messages, log entries, command output, and other output is
 better than a paraphrase or summary.<br>
    <br>
  </li>
  <li>Please don't describe your problem as "Computer A can't see
 Computer B". Of course it can't -- it hasn't any eyes! If ping from A
 to B fails, say so (and see below for information about reporting
 'ping' problems). If Computer B doesn't show up in "Network
 Neighborhood" then say so. <br>
    <br>
  </li>
  <li> Please don't describe your environment and then ask us to send
 you custom configuration files. We're here to answer your questions but
 we can't do your job for you.<br>
@ -143,7 +142,11 @@ problem is that some type of connection to/from or through your
 firewall
 isn't working then please perform the following four steps:<br>
      <br>
-1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
+1. <b><font color="#009900"><span style="color: rgb(0, 0, 0);">If
 shorewall isn't running then </span></font></b><font color="#009900"
 style="font-weight: bold; color: rgb(0, 153, 0);">/sbin/shorewall/start</font><b><font
 color="#009900"><span style="color: rgb(0, 0, 0);">. Otherwise</span>
 /sbin/shorewall reset<span style="color: rgb(0, 0, 0);">.</span></font></b><br>
      <br>
 2. Try making the connection that is failing.<br>
      <br>
@ -189,7 +192,7 @@ unless one also knows the policies).<br>
  </li>
  <li>If an error occurs when you try to "<font color="#009900"><b>shorewall
 start</b></font>", include a trace (See the <a
- href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
+ href="troubleshoot.htm">Troubleshooting</a>
 section for instructions).<br>
    <br>
  </li>
@ -232,7 +235,10 @@ you can post non MNF-specific Shorewall questions to the </b><a
 mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
  <p>Otherwise, please post your question or problem to the <a
 href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
-mailing list.</a> </p>
+mailing list.</a><span style="font-weight: bold;"> IMPORTANT: </span>If
 you are not subscribed to the list, please say so -- otherwise, you
 will not be included in any replies.<br>
  </p>
 </blockquote>
 <h2>Subscribing to the Users Mailing List<br>
 </h2>
@ -245,7 +251,7 @@ mailing list.</a> </p>
 <p>For information on other Shorewall mailing lists, go to <a
 href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
 </p>
-<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
+<p align="left"><font size="2">Last Updated 11/12/2003 - Tom Eastep</font></p>
 <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
 size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
 Eastep.</font></a></font><br>
--- a/Shorewall-docs/three-interface.htm
+++ b/Shorewall-docs/three-interface.htm
@ -9,17 +9,8 @@
  <title>Three-Interface Firewall</title>
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Three-Interface Firewall<br>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+</h1>
 id="AutoNumber5" bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="left">Setting up a Linux system as a firewall for a small
 network with DMZ is a fairly straight-forward task if you understand
 the basics and follow the documentation.</p>
@ -28,7 +19,11 @@ of Shorewall. It rather focuses on what is required to configure
 Shorewall in one of its more popular configurations:</p>
 <ul>
  <li>Linux system used as a firewall/router for a small local network.</li>
-  <li>Single public IP address.</li>
+  <li style="font-weight: bold;">Single public IP address. If you have
 more than one public IP address, this is not the guide you want -- see
 the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
 instead.<br>
  </li>
  <li>DMZ connected to a separate ethernet interface.</li>
  <li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
 ...</li>
@ -128,7 +123,9 @@ file matches the connection request then the first policy in
 /etc/shorewall/policy that matches the request is applied. If that
 policy is REJECT
 or DROP&nbsp; the request is first checked against the rules in
-/etc/shorewall/common (the samples provide that file for you).</p>
+/etc/shorewall/common if that file exists; otherwise the file
 /etc/shorewall/common.def is checked<br>
 </p>
 <p>The /etc/shorewall/policy file included with the three-interface
 sample has the following policies:</p>
 <blockquote>
@ -1064,9 +1061,15 @@ from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>
 Also, I don't recommend using "shorewall restart"; it is better to
 create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
- href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
 </p>
 <h2>Additional Recommended Reading</h2>
 I highly recommend that you review the <a
 href="configuration_file_basics.htm">Common Configuration File
 Features page</a> -- it contains helpful tips about Shorewall features
 than make administering your firewall easier.
 </div>
-<p align="left"><font size="2">Last updated 8/8/2003 - <a
+<p align="left"><font size="2">Last updated 11/15/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a><br>
--- a/Shorewall-docs/three-interface_fr.html
+++ b/Shorewall-docs/three-interface_fr.html
--- a/Shorewall-docs/traffic_shaping.htm
+++ b/Shorewall-docs/traffic_shaping.htm
@ -1,185 +1,161 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <title>Traffic Shaping</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Traffic Shaping/Control<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p align="left">Shorewall has limited support for traffic
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+shaping/control. In order to use traffic shaping under Shorewall, it is
-                    <tbody>
+essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux
-                     <tr>
+Advanced Routing and Shaping HOWTO</a>, version 0.3.0 or later. It is
-                      <td width="100%">         
+also necessary to be running Linux Kernel 2.4.18 or later.</p>
-      <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
+<p align="left">Shorewall traffic shaping support consists of the
-                      </td>
+following:</p>
                    </tr>
  </tbody> 
 </table>
 <p align="left">Shorewall has limited support       for traffic shaping/control. 
 In order to use traffic shaping under Shorewall,       it is essential that 
 you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing 
 and Shaping HOWTO</a>,       version 0.3.0 or later. It is also necessary 
 to be running Linux Kernel 2.4.18 or later.</p>
 <p align="left">Shorewall traffic shaping support consists of the following:</p>
 <ul>
  <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
-    Traffic     Shaping  also requires that you enable packet mangling.</li>
+Traffic Shaping also requires that you enable packet mangling.</li>
  <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
- in  Shorewall  1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), 
+in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
- the  setting of  this variable determines whether Shorewall clears the traffic 
+the setting of this variable determines whether Shorewall clears the
-  shaping configuration  during Shorewall [re]start and Shorewall stop. <br>
+traffic shaping configuration during Shorewall [re]start and Shorewall
 stop. <br>
  </li>
  <li><b>/etc/shorewall/tcrules</b> - A file where you
 can specify firewall marking of packets. The firewall mark value
 may be used to classify packets for traffic shaping/control.<br>
  </li>
-                    <li><b>/etc/shorewall/tcstart </b>- A user-supplied file 
+  <li><b>/etc/shorewall/tcstart </b>- A user-supplied file that is
- that   is     sourced     by Shorewall during "shorewall start" and which 
+sourced by Shorewall during "shorewall start" and which you can use to
- you can       use to define     your traffic shaping disciplines and classes. 
+define your traffic shaping disciplines and classes. I have provided a <a
  I have   provided     a <a
 href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
-   table-driven CBQ shaping but if you read the traffic shaping   sections 
+table-driven CBQ shaping but if you read the traffic shaping sections
-  of     the     HOWTO mentioned above, you can probably code your   own faster
+of the HOWTO mentioned above, you can probably code your own faster
-  than     you can     learn how to use my sample. I personally  use    
+than you can learn how to use my sample. I personally use <a
-    <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a>      (see  below). 
+ href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
- HTB         support may eventually become an integral part of Shorewall 
+support may eventually become an integral part of Shorewall since HTB
-since  HTB   is a     lot simpler and better-documented than CBQ. As of 2.4.20,
+is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
- HTB is a standard     part of the kernel but iproute2 must be patched  in
+standard part of the kernel but iproute2 must be patched in order to
- order  to     use it.<br>
+use it.<br>
    <br>
-                      In tcstart, when you want to run the 'tc' utility,
+In tcstart, when you want to run the 'tc' utility,
-use  the   run_tc    function      supplied by shorewall if you want tc errors 
+use the run_tc function supplied by shorewall if you want tc errors to
- to stop   the firewall.<br>
+stop the firewall.<br>
    <br>
-            You can generally use off-the-shelf traffic shaping scripts by 
+You can generally use off-the-shelf traffic shaping scripts by simply
-simply    copying  them to /etc/shorewall/tcstart. I use <a
+copying them to /etc/shorewall/tcstart. I use <a
- href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) 
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB
-    that  way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
+version) that way (i.e., I just copied wshaper.htb to
 /etc/shorewall/tcstart
 and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
- you  use use Masquerading or SNAT (i.e., you only have one external IP address) 
+you use use Masquerading or SNAT (i.e., you only have one external IP
-   then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] 
+address) then listing internal hosts in the NOPRIOHOSTSRC variable in
-   script won't work. Traffic shaping occurs after SNAT has already been
+the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
 has already been
 applied so when traffic shaping happens, all outbound traffic will have
-as a source     address the IP addresss of your firewall's external interface.<br>
+as a source address the IP addresss of your firewall's external
 interface.<br>
  </li>
-                    <li><b>/etc/shorewall/tcclear</b> - A user-supplied file 
+  <li><b>/etc/shorewall/tcclear</b> - A user-supplied file that is
- that   is     sourced     by Shorewall when it is clearing traffic shaping. 
+sourced by Shorewall when it is clearing traffic shaping. This file is
- This   file is     normally     not required as Shorewall's method of clearing 
+normally not required as Shorewall's method of clearing qdisc and
-  qdisc  and filter     definitions     is pretty general.</li>
+filter definitions is pretty general.</li>
 </ul>
-        Shorewall allows you to start traffic shaping when Shorewall itself 
+Shorewall allows you to start traffic shaping when Shorewall itself
- starts   or it allows you to bring up traffic shaping when you bring up your
+starts or it allows you to bring up traffic shaping when you bring up
- interfaces.<br>
+your interfaces.<br>
-        <br>
+<br>
-        To start traffic shaping when Shorewall starts:<br>
+To start traffic shaping when Shorewall starts:<br>
 <ol>
  <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
  <li>Supply an /etc/shorewall/tcstart script to configure your traffic
-   shaping rules.</li>
+shaping rules.</li>
  <li>Optionally supply an /etc/shorewall/tcclear script to stop
 traffic shaping. That is usually unnecessary.</li>
-          <li>If your tcstart script uses the 'fwmark' classifier, you can 
+  <li>If your tcstart script uses the 'fwmark' classifier, you can mark
-mark   packets using entries in /etc/shorewall/tcrules.</li>
+packets using entries in /etc/shorewall/tcrules.</li>
 </ol>
-        To start traffic shaping when you bring up your network interfaces, 
+To start traffic shaping when you bring up your network interfaces, you
- you   will have to arrange for your traffic shaping configuration script 
+will have to arrange for your traffic shaping configuration script to
-to be  run at that time. How you do that is distribution dependent and will 
+be run at that time. How you do that is distribution dependent and will
 not be covered here. You then should:<br>
 <ol>
  <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
  <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
- scripts.</li>
+scripts.</li>
  <li value="4">If your tcstart script uses the 'fwmark' classifier,
- you   can mark packets using entries in /etc/shorewall/tcrules.</li>
+you can mark packets using entries in /etc/shorewall/tcrules.</li>
 </ol>
 <h3 align="left">Kernel Configuration</h3>
-  
+<p align="left">This screen shot show how I've configured QoS in my
-<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
+Kernel:</p>
 <p align="center"><img border="0" src="images/QoS.png" width="590"
- height="764">
+ height="764"> </p>
                 </p>
 <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
-  
+<p align="left">The fwmark classifier provides a convenient way to
-<p align="left">The fwmark classifier provides a convenient way to classify 
+classify packets for traffic shaping. The /etc/shorewall/tcrules file
-        packets for traffic shaping. The /etc/shorewall/tcrules file provides 
+provides a means for specifying these marks in a tabular fashion.<br>
-    a  means  for specifying these marks in a tabular fashion.<br>
+</p>
-          </p>
+<p align="left">Normally, packet marking occurs in the PREROUTING chain
-  
+before any address rewriting takes place. This makes it impossible to
-<p align="left">Normally, packet marking occurs in the PREROUTING chain before 
+mark inbound packets based on their destination address when SNAT or
-    any address rewriting takes place. This makes it impossible to mark inbound 
+Masquerading
    packets based on their destination address when SNAT or Masquerading
 are being used. Beginning with Shorewall 1.3.12, you can cause packet
-marking    to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
+marking to occur in the FORWARD chain by using the
 MARK_IN_FORWARD_CHAIN
 option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
-          </p>
+</p>
 <p align="left">Columns in the file are as follows:</p>
 <ul>
-                    <li>MARK - Specifies the mark value is to be assigned 
+  <li>MARK - Specifies the mark value is to be assigned in case of a
-in  case   of      a match. This is an integer in the range 1-255. Beginning 
+match. This is an integer in the range 1-255. Beginning with Shorewall
-with Shorewall  version 1.3.14, this value may be optionally followed by
+version 1.3.14, this value may be optionally followed by
-":" and either 'F'  or 'P' to designate that the marking will occur in the
+":" and either 'F' or 'P' to designate that the marking will occur in
-FORWARD or PREROUTING  chains respectively. If this additional specification
+the
-is omitted, the chain  used to mark packets will be determined by the setting
+FORWARD or PREROUTING chains respectively. If this additional
 specification
 is omitted, the chain used to mark packets will be determined by the
 setting
 of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
    <br>
-                      Example - 5<br>
+Example - 5<br>
  </li>
  <li>SOURCE - The source of the packet. If the packet
 originates on the firewall, place "fw" in this column. Otherwise,
 this is a comma-separated list of interface names, IP addresses, MAC
-addresses   in    <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
+addresses in <a href="Documentation.htm#MAC">Shorewall Format</a>
 and/or
 Subnets.<br>
    <br>
-                      Examples<br>
+Examples<br>
-                          eth0<br>
+&nbsp;&nbsp;&nbsp; eth0<br>
-                          192.168.2.4,192.168.1.0/24<br>
+&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
  </li>
-                    <li>DEST -- Destination of the packet. Comma-separated 
+  <li>DEST -- Destination of the packet. Comma-separated list of IP
-list   of      IP  addresses and/or subnets.<br>
+addresses and/or subnets.<br>
  </li>
-                    <li>PROTO - Protocol - Must be the name of a protocol 
+  <li>PROTO - Protocol - Must be the name of a protocol from
-from       /etc/protocol,    a number or "all"<br>
+/etc/protocol, a number or "all"<br>
  </li>
-                    <li>PORT(S) - Destination Ports. A comma-separated list 
+  <li>PORT(S) - Destination Ports. A comma-separated list of Port names
- of  Port       names  (from /etc/services), port numbers or port ranges (e.g.,
+(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
-  21:22);     if     the  protocol is "icmp", this column is interpreted as
+protocol is "icmp", this column is interpreted as the destination icmp
-  the     destination    icmp  type(s).<br>
+type(s).<br>
  </li>
-                    <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. 
+  <li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
-   If      omitted,  any source port is acceptable. Specified as a comma-separate 
+omitted, any source port is acceptable. Specified as a comma-separate
-     list      of port names, port numbers or port ranges.</li>
+list of port names, port numbers or port ranges.</li>
 </ul>
-  
+<p align="left">Example 1 - All packets arriving on eth1 should be
-<p align="left">Example 1 - All packets arriving on eth1 should be marked 
+marked with 1. All packets arriving on eth2 and eth3 should be marked
-        with 1. All packets arriving on eth2 and eth3 should be marked with 
+with 2. All packets originating on the firewall itself should be marked
-  2.   All packets   originating on the firewall itself should be marked with
+with 3.</p>
  3.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
  <tbody>
    <tr>
@ -195,16 +171,16 @@ from       /etc/protocol,    a number or "all"<br>
      <td>eth1</td>
      <td>0.0.0.0/0</td>
      <td>all</td>
-                      <td> </td>
+      <td>&nbsp;</td>
-                      <td> </td>
+      <td>&nbsp;</td>
    </tr>
    <tr>
      <td>2</td>
      <td>eth2</td>
      <td>0.0.0.0/0</td>
      <td>all</td>
-                      <td> </td>
+      <td>&nbsp;</td>
-                      <td> </td>
+      <td>&nbsp;</td>
    </tr>
    <tr>
      <td valign="top">2<br>
@ -225,17 +201,14 @@ from       /etc/protocol,    a number or "all"<br>
      <td>fw</td>
      <td>0.0.0.0/0</td>
      <td>all</td>
-                      <td> </td>
+      <td>&nbsp;</td>
-                      <td> </td>
+      <td>&nbsp;</td>
    </tr>
  </tbody>
 </table>
-  
+<p align="left">Example 2 - All GRE (protocol 47) packets not
-<p align="left">Example 2 - All GRE (protocol 47) packets not originating 
+originating on the firewall and destined for 155.186.235.151 should be
-        on the firewall and destined for 155.186.235.151 should be marked 
+marked with 12.</p>
 with     12.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
  <tbody>
    <tr>
@ -251,16 +224,14 @@ with     12.</p>
      <td>0.0.0.0/0</td>
      <td>155.186.235.151</td>
      <td>47</td>
-                      <td> </td>
+      <td>&nbsp;</td>
-                      <td> </td>
+      <td>&nbsp;</td>
    </tr>
  </tbody>
 </table>
-  
+<p align="left">Example 3 - All SSH packets originating in
-<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 
+192.168.1.0/24 and destined for 155.186.235.151 should be marked with
-        and destined for 155.186.235.151 should be marked with 22.</p>
+22.</p>
 <table border="2" cellpadding="2" style="border-collapse: collapse;">
  <tbody>
    <tr>
@ -277,65 +248,59 @@ with     12.</p>
      <td>155.186.235.151</td>
      <td>tcp</td>
      <td>22</td>
-                      <td> </td>
+      <td>&nbsp;</td>
    </tr>
  </tbody>
 </table>
-  
+<h3>My Current Setup<br>
-<h3>My Setup<br>
+</h3>
-            </h3>
+<p>I am currently using the HTB version of <a
-  
+ href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just
-<p>While I am currently using the HTB version of <a
+copied wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as
- href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied 
+shown in the Wondershaper README).<span style="font-weight: bold;"> </span>WonderShaper
-    wshaper.htb  to <b>/etc/shorewall/tcstart</b> and modified it as shown 
+DOES NOT USE THE
- in  the Wondershaper README),  I have also run with the following set of 
+/etc/shorewall/tcrules file. While I currently have entries in
-hand-crafted  rules in my <b>/etc/shorewall/tcstart</b>  file:<br>
+/etc/shorewall/tcrules, I do so for <a
-            </p>
+ href="Shorewall_Squid_Usage.html">policy routing for Squid</a> and not
-  
+for Traffic Shaping.</p>
 <h3>My Old Setup<br>
 </h3>
 <p>I have also run with the following set of hand-crafted rules in my <b>/etc/shorewall/tcstart</b>
 file.<br>
 </p>
 <blockquote>
-  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
+  <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "&nbsp;&nbsp; Added Top Level Class -- rate 384kbit"</pre>
-    
+  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit&nbsp; ceil 384kbit burst 15k quantum 1500 prio 1</pre>
-  <pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1</pre>
+  <pre>echo "&nbsp;&nbsp; Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
  <pre>echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
  <pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
-    
+  <pre>echo "&nbsp;&nbsp; Enabled PFIFO on Second Level Classes"</pre>
  <pre>echo "   Enabled PFIFO on Second Level Classes"</pre>
  <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
-    
+  <pre>echo "&nbsp;&nbsp; Defined fwmark filters"<br></pre>
-  <pre>echo "   Defined fwmark filters"<br></pre>
+</blockquote>
-                            </blockquote>
+<p>My tcrules file that went with this tcstart file is shown in Example
-  
+1 above. When I was using these rules:<br>
-<p>My tcrules file that went with this tcstart file is shown in Example 1 
+</p>
     above. You can look at <a href="myfiles.htm">my configuration</a> to 
 see why I wanted shaping of this type.<br>
             </p>
 <ol>
-               <li>I wanted to allow up to 140kbits/second for traffic outbound 
+  <li>I wanted to allow up to 140kbits/second for traffic outbound from
-   from   my DMZ (note that the ceiling is set to 384kbit so outbound DMZ 
+my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
 traffic can use all available bandwidth if there is no traffic from the
 local systems or from my laptop or firewall).</li>
-               <li>My laptop and local systems could use up to 224kbits/second.</li>
+  <li>My laptop (which at that time connected via eth3) and local
 systems (eth2) could use up to 224kbits/second.</li>
  <li>My firewall could use up to 20kbits/second.</li>
 </ol>
-   You see <a href="myfiles.htm">the rest of my Shorewall configuration</a> 
+Once www.shorewall.net was moved off-site, I no longer needed these
- to see how this fit in. <br>
+shaping rules and The Wonder Shaper does all that I now require.<br>
-  
+<p><font size="2">Last Updated 10/21/2003 - <a href="support.htm">Tom
-<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
+Eastep</a></font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-         © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
-      </p>
+</p>
-      <br>
+<br>
-     <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/troubleshoot.htm
+++ b/Shorewall-docs/troubleshoot.htm
@ -8,19 +8,10 @@
  <meta name="ProgId" content="FrontPage.Editor.Document">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+Troubleshooting <img src="images/obrasinf.gif"
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+ alt="Beating head on table" style="width: 90px; height: 90px;"
-  <tbody>
+ align="middle" title=""></h1>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
 src="images/obrasinf.gif" alt="Beating head on table" width="90"
 height="90" align="middle"> </font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <h3 style="text-align: center;"><span style="font-style: italic;">"If
 you think you can you can; if you think you can't you're right.<br>
 If you don't believe that you can, why should someone else?" -- Gunnar
@ -145,8 +136,8 @@ sending the packets or the destination host isn't in any zone (using an
        <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
 are you?); or</li>
      <li>the source and destination hosts are both connected to the
-same interface and you don't have a policy or rule for the
+same interface and you haven't specified the 'routeback' option on that
-source zone to or from the destination zone.</li>
+interface.</li>
    </ol>
  </li>
  <li>Remember that Shorewall doesn't automatically allow ICMP type 8
@ -199,7 +190,7 @@ in /etc/shorewall/shorewall.conf.</li>
 <font face="Century Gothic, Arial, Helvetica">
 <blockquote> </blockquote>
 </font>
-<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
+<p><font size="2">Last updated 11/1/2003 - Tom Eastep</font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
 © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
 </p>
--- a/Shorewall-docs/two-interface.htm
+++ b/Shorewall-docs/two-interface.htm
@ -10,18 +10,8 @@
  <meta name="Microsoft Theme" content="none">
 </head>
 <body>
-<table border="0" cellpadding="0" cellspacing="0"
+<h1 style="text-align: center;">Basic Two-Interface Firewall<br>
- style="border-collapse: collapse;" width="100%" id="AutoNumber5"
+</h1>
 bgcolor="#3366ff" height="90">
  <tbody>
    <tr>
      <td width="100%">
      <h1 align="center"><font color="#ffffff">Basic Two-Interface
 Firewall</font></h1>
      </td>
    </tr>
  </tbody>
 </table>
 <p align="left">Setting up a Linux system as a firewall for a small
 network is a fairly straight-forward task if you understand the basics
 and follow the documentation.</p>
@ -30,7 +20,10 @@ of Shorewall. It rather focuses on what is required to configure
 Shorewall in its most common configuration:</p>
 <ul>
  <li>Linux system used as a firewall/router for a small local network.</li>
-  <li>Single public IP address.</li>
+  <li style="font-weight: bold;">Single public IP address. If you have
 more than one public IP address, this is not the guide you want -- see
 the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
 instead.</li>
  <li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
 dial-up ...</li>
 </ul>
@ -140,8 +133,8 @@ that file matches the connection request then the first policy
 in /etc/shorewall/policy that matches the request is applied.
 If that policy is REJECT or DROP&nbsp; the request is first checked
 against
-the rules in /etc/shorewall/common (the samples provide that file
+the rules in /etc/shorewall/common if that file exists; otherwise the
-for you).</p>
+rules in /etc/shorewall/common.def are checked.</p>
 <p>The /etc/shorewall/policy file included with the two-interface
 sample
 has the following policies:</p>
@ -946,9 +939,15 @@ have added an entry for the IP address that you are connected from to <a
 Also, I don't recommend using "shorewall restart"; it is better
 to create an <i><a href="configuration_file_basics.htm#Configs">alternate
 configuration</a></i> and test it using the <a
- href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
+ href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
 </p>
 <h2>Additional Recommended Reading</h2>
 I highly recommend that you review the <a
 href="configuration_file_basics.htm">Common Configuration File
 Features page</a> -- it contains helpful tips about Shorewall features
 than make administering your firewall easier.
 </div>
-<p align="left"><font size="2">Last updated 8/8/2003 - <a
+<p align="left"><font size="2">Last updated 11/15/2003 - <a
 href="support.htm">Tom Eastep</a></font></p>
 <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
 2003 Thomas M. Eastep</font></a><br>
--- a/Shorewall-docs/two-interface_fr.html
+++ b/Shorewall-docs/two-interface_fr.html
--- a/Shorewall-docs/upgrade_issues.htm
+++ b/Shorewall-docs/upgrade_issues.htm
@ -1,471 +1,378 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Upgrade Issues</title>
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta name="Microsoft Theme" content="none">
 </head>
-  <body>
+<body>
-                  
+<h1 style="text-align: center;">Upgrade Issues<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" width="100%" id="AutoNumber1"
+<p>For upgrade instructions see the <a href="Install.htm">Install/Upgrade
- bgcolor="#3366ff" height="90">
+page</a>.<br>
-                             <tbody>
+</p>
-                             <tr>
+<p>It is important that you read all of the sections on this page where
-                               <td width="100%">                        
+the version number mentioned in the section title is later than what
-                                       
+you are currently running.<br>
-      <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
+</p>
                               </td>
                             </tr>
  </tbody>         
 </table>
 <p>For upgrade instructions see the                               <a
 href="Install.htm">Install/Upgrade page</a>.<br>
             </p>
 <p>It is important that you read all of the sections on this page where the 
      version number mentioned in the section title is later than what you 
 are    currently running.<br>
       </p>
 <p> In the descriptions that follows, the term <b><i>group </i></b>refers
-   to a particular  network or subnetwork (which may be 0.0.0.0/0 or it may 
+to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
-  be a host address)  accessed through a particular interface.<br>
+be a host address) accessed through a particular interface.<br>
-       </p>
+</p>
 <p>Examples:<br>
-               <br>
+&nbsp;&nbsp;&nbsp; <br>
-           eth0:0.0.0.0/0<br>
+&nbsp;&nbsp;&nbsp; eth0:0.0.0.0/0<br>
-              eth2:192.168.1.0/24<br>
+&nbsp;&nbsp;&nbsp; eth2:192.168.1.0/24<br>
-              eth3:192.0.2.123<br>
+&nbsp;&nbsp;&nbsp; eth3:192.0.2.123<br>
-      </p>
+</p>
-           
+<p> You can use the "shorewall check" command to see the groups
-<p> You can use the "shorewall check" command to see the groups associated
+associated with each of your zones.<br>
-   with each of your zones.<br>
+</p>
             </p>
 <h3> </h3>
-                  
+<h3>Version &gt;= 1.4.8</h3>
 <h3>Version &gt;= 1.4.6</h3>
 <ul>
-   <li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed 
+  <li>The meaning of ROUTE_FILTER=Yes has changed. Previously this
-from shorewall.conf. These capabilities are now automatically detected by 
+setting was documented as causing route filtering to occur on all
-Shorewall.</li>
+network interfaces; this didn't work. Beginning with this release,
-   <li>An undocumented <i>feature</i> previously allowed entries in the host 
+ROUTE_FILTER=Yes causes route filtering to occur on all interfaces
-file as follows:<br>
+brought up while Shorewall is running. This means that it may be
-     <br>
+appropriate to set ROUTE_FILTER=Yes <span
-     <i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
+ style="text-decoration: underline;">and</span> use the routefilter
-     <br>
+option in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
- This capability was never documented and has been removed in 1.4.6 to allow 
+entries.<br>
 entries of the following format:<br>
     <br>
     <i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
  </li>
 </ul>
-   
+<h3>Version &gt;= 1.4.6</h3>
-<h3>Version &gt;= 1.4.4</h3>
+<ul>
-     If you are upgrading from 1.4.3 and have set the LOGMARKER variable
+  <li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
-in  <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then 
+removed from shorewall.conf. These capabilities are now automatically
-you  must set the new LOGFORMAT variable appropriately and remove your setting 
+detected by Shorewall.</li>
-  of LOGMARKER<br>
+  <li>An undocumented <i>feature</i> previously allowed entries in the
 host file as follows:<br>
    <br>
-     
+    <i>zone</i> &nbsp; &nbsp;eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
    <br>
 This capability was never documented and has been removed in 1.4.6 to
 allow entries of the following format:<br>
    <br>
    <i>zone</i> &nbsp; eth1:192.168.1.0/24,192.168.2.0/24<br>
  </li>
 </ul>
 <h3>Version &gt;= 1.4.4</h3>
 If you are upgrading from 1.4.3 and have set the LOGMARKER variable
 in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>,
 then you must set the new LOGFORMAT variable appropriately and remove
 your setting of LOGMARKER<br>
 <br>
 <h3>Version 1.4.4<br>
-   </h3>
+</h3>
-   If you have zone names that are 5 characters long, you may experience
+If you have zone names that are 5 characters long, you may experience
 problems starting Shorewall because the --log-prefix in a logging rule
 is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
 <h3>Version &gt;= 1.4.2</h3>
-       There are some cases where you may want to handle traffic from a particular 
+There are some cases where you may want to handle traffic from a
-   group to itself. While I personally think that such a setups are ridiculous, 
+particular group to itself. While I personally think that such a setups
-   there are two cases covered in this documentation where it can occur:<br>
+are ridiculous, there are two cases covered in this documentation where
-             
+it can occur:<br>
 <ol>
  <li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
  <li><a href="Shorewall_Squid_Usage.html">When running Squid as a
 transparent proxy in your local zone.</a></li>
 </ol>
-       If you have either of these cases, you will want to review the current 
+If you have either of these cases, you will want to review the current
-  documentation  and change your configuration accordingly.<br>
+documentation and change your configuration accordingly.<br>
 <h3>Version &gt;= 1.4.1</h3>
 <ul>
  <li>Beginning with Version 1.4.1, traffic between groups in
 the same zone is accepted by default. Previously, traffic from a zone
 to itself was treated just like any other traffic; any matching rules
-were applied  followed  by enforcement of the appropriate  policy. With 1.4.1
+were applied followed by enforcement of the appropriate policy. With
 1.4.1
 and later versions, unless you have explicit rules for traffic from Z
-to Z or you  have an explicit  Z to Z policy (where "Z" is some  zone) then
+to Z or you have an explicit Z to Z policy (where "Z" is some zone)
-traffic between  the groups in  zone Z will be accepted. If you do have one
+then
-or more explicit  rules for Z to Z or if you have an explicit Z to Z policy
+traffic between the groups in zone Z will be accepted. If you do have
 one
 or more explicit rules for Z to Z or if you have an explicit Z to Z
 policy
 then the behavior is as it was in prior versions.</li>
 </ul>
 <blockquote>
  <ol>
    <li>If you have a Z Z ACCEPT policy for a zone to allow traffic
-   between   two interfaces to the same zone, that policy can be removed
+between two interfaces to the same zone, that policy can be removed
-and    traffic between  the interfaces will traverse fewer rules than previously.</li>
+and traffic between the interfaces will traverse fewer rules than
-               <li>If you have a Z Z DROP or Z Z REJECT policy or you have
+previously.</li>
- Z-&gt;Z    rules then your configuration should not require any change.</li>
+    <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
 rules then your configuration should not require any change.</li>
    <li>If you are currently relying on a implicit policy (one
 that has "all" in either the SOURCE or DESTINATION column) to prevent
 traffic between two interfaces to a zone Z and you have no rules for
 Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
 Z.<br>
    </li>
  </ol>
-           </blockquote>
+</blockquote>
 <ul>
-        <li>    Sometimes, you want two separate zones on one interface but 
+  <li> Sometimes, you want two separate zones on one interface but you
- you  don't want  Shorewall to set up any infrastructure to handle traffic 
+don't want Shorewall to set up any infrastructure to handle traffic
- between  them. </li>
+between them. </li>
 </ul>
 <blockquote>Example:<br>
  <blockquote>
    <pre>/etc/shorewall/zones<br><br>z1	Zone1	The first Zone<br>z2	Zone2	The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2	eth1	192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1	eth1:192.168.1.3<br></pre>
  </blockquote>
-          Here, zone z1 is nested in zone z2 and the firewall is not going
+Here, zone z1 is nested in zone z2 and the firewall is not going to be
- to  be  involved in any traffic between these two zones. Beginning with
+involved in any traffic between these two zones. Beginning with
-Shorewall     1.4.1, you can prevent Shorewall from setting up any infrastructure
+Shorewall 1.4.1, you can prevent Shorewall from setting up any
 infrastructure
 to handle traffic between z1 and z2 by using the new NONE policy:<br>
  <blockquote>
    <pre>/etc/shorewall/policy<br><pre>z1	z2	NONE<br>z2	z1	NONE</pre></pre>
  </blockquote>
-          Note that NONE policies are generally used in pairs unless there
+Note that NONE policies are generally used in pairs unless there is
- is  asymetric   routing where only the traffic on one direction flows through 
+asymetric routing where only the traffic on one direction flows through
-  the firewall   and you are using a NONE polciy in the other direction. </blockquote>
+the firewall and you are using a NONE polciy in the other
-                        
+direction.&nbsp;</blockquote>
 <h3>Version 1.4.1<br>
-      </h3>
+</h3>
 <ul>
-             <li>In Version 1.4.1, Shorewall will never create rules  to
+  <li>In Version 1.4.1, Shorewall will never create rules to deal with
- deal   with traffic from a given group back to itself.  The <i>multi</i> 
+traffic from a given group back to itself. The <i>multi</i> interface
- interface   option is no longer available so if you want to route traffic 
+option is no longer available so if you want to route traffic between
-between  two   subnetworks on the same interface then I recommend that you 
+two subnetworks on the same interface then I recommend that you upgrade
-upgrade to Version   1.4.2 and use the 'routeback' interface or host option. </li>
+to Version 1.4.2 and use the 'routeback' interface or host option.&nbsp;</li>
 </ul>
 <h3>Version &gt;= 1.4.0</h3>
-               <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
+<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
-  iproute    package  ('ip' utility).</b><br>
+package ('ip' utility).</b><br>
-            <br>
+<br>
-            <b>Note: </b>Unfortunately, some distributions call this package
+<b>Note: </b>Unfortunately, some distributions call this package
-  iproute2    which will cause the upgrade of Shorewall to fail with the
+iproute2 which will cause the upgrade of Shorewall to fail with the
 diagnostic:<br>
-               <br>
+<br>
-                  error: failed dependencies:iproute is needed by  shorewall-1.4.0-1 
+&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
-         <br>
+shorewall-1.4.0-1 <br>
-               <br>
+<br>
-             This may be worked around by using the --nodeps option of rpm
+This may be worked around by using the --nodeps option of rpm (rpm -Uvh
- (rpm   -Uvh   --nodeps &lt;shorewall rpm&gt;).<br>
+--nodeps &lt;shorewall rpm&gt;).<br>
-               <br>
+<br>
-               If you are upgrading from a version &lt; 1.4.0, then:<br>
+If you are upgrading from a version &lt; 1.4.0, then:<br>
 <ul>
-                    <li>The <b>noping </b>and <b>forwardping</b> interface
+  <li>The <b>noping </b>and <b>forwardping</b> interface options are
- options    are   no  longer supported nor is the <b>FORWARDPING </b>option
+no longer supported nor is the <b>FORWARDPING </b>option in
- in shorewall.conf.       ICMP echo-request (ping) packets are treated just
+shorewall.conf. ICMP echo-request (ping) packets are treated just like
- like any other connection       request and are subject to rules and policies.</li>
+any other connection request and are subject to rules and policies.</li>
-                    <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; 
+  <li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
-    in   /etc/shorewall/interfaces   now generate a Shorewall error at startup 
+/etc/shorewall/interfaces now generate a Shorewall error at startup
-    (they   always have produced warnings   in iptables).</li>
+(they always have produced warnings in iptables).</li>
  <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
-      Shorewall  1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
+Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
-    contents   are  determined by BOTH the interfaces and hosts files when
+contents are determined by BOTH the interfaces and hosts files when
- there   are entries   for the zone in both files.</li>
+there are entries for the zone in both files.</li>
  <li>The <b>routestopped</b> option in the interfaces
 and hosts file has been eliminated; use entries in the routestopped
 file instead.</li>
-                    <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
+  <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
-  is  no  longer     accepted; you must convert to using the new syntax.</li>
+accepted; you must convert to using the new syntax.</li>
-                    <li value="6">The ALLOWRELATED variable in shorewall.conf 
+  <li value="6">The ALLOWRELATED variable in shorewall.conf is no
-  is  no  longer    supported.  Shorewall 1.4 behavior is the same as 1.3 
+longer supported. Shorewall 1.4 behavior is the same as 1.3 with
-with  ALLOWRELATED=Yes.</li>
+ALLOWRELATED=Yes.</li>
-                    <li value="6">Late-arriving DNS replies are now dropped 
+  <li value="6">Late-arriving DNS replies are now dropped by default;
- by  default;     there  is no need for your own /etc/shorewall/common file 
+there is no need for your own /etc/shorewall/common file simply to
- simply  to avoid     logging  these packets.</li>
+avoid logging these packets.</li>
-                    <li value="6">The 'firewall', 'functions' and 'version' 
+  <li value="6">The 'firewall', 'functions' and 'version' file have
- file   have   been   moved to /usr/share/shorewall.</li>
+been moved to /usr/share/shorewall.</li>
-                   <li value="6">The icmp.def file has been removed. If you 
+  <li value="6">The icmp.def file has been removed. If you include it
- include     it  from  /etc/shorewall/icmpdef, you will need to modify that 
+from /etc/shorewall/icmpdef, you will need to modify that file.</li>
 file.</li>
  <ul>
  </ul>
-                <li>If you followed the advice in FAQ #2 and call find_interface_address 
+  <li>If you followed the advice in FAQ #2 and call
-      in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
+find_interface_address in /etc/shorewall/params, that code should be
 moved to /etc/shorewall/init.<br>
  </li>
 </ul>
 <ul>
 </ul>
 <h3>Version 1.4.0</h3>
 <ul>
  <li value="8">The 'multi' interface option is no longer supported.
-    Shorewall     will generate rules for sending packets back out the same 
+&nbsp;Shorewall will generate rules for sending packets back out the
-  interface that    they arrived on in two cases:</li>
+same interface that they arrived on in two cases:</li>
 </ul>
 <blockquote>
  <ul>
-               <li>There is an <u>explicit</u> policy for the source zone 
+    <li>There is an <u>explicit</u> policy for the source zone to or
-to  or  from     the destination zone. An explicit policy names both zones 
+from the destination zone. An explicit policy names both zones and does
-and  does  not  use   the 'all' reserved word.</li>
+not use the 'all' reserved word.</li>
  </ul>
  <ul>
-               <li>There are one or more rules for traffic for the source 
+    <li>There are one or more rules for traffic for the source zone to
-zone   to   or  from the destination zone including rules that use the 'all' 
+or from the destination zone including rules that use the 'all'
 reserved word. Exception: if the source zone and destination zone are
 the same then the rule must be explicit - it must name the zone in both
 the SOURCE and DESTINATION columns.</li>
  </ul>
-           </blockquote>
+</blockquote>
 <h3>Version &gt;= 1.3.14</h3>
-                   <img src="images/BD21298_3.gif" alt="" width="13"
+<img src="images/BD21298_3.gif" alt="" width="13" height="13">
- height="13">
+&nbsp;&nbsp; &nbsp; Beginning in version 1.3.14, Shorewall treats
-                        Beginning in version 1.3.14, Shorewall treats entries 
+entries in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
-  in  <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. 
+The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
-  The  change      involves entries with an <b>interface name</b> in the <b>SUBNET</b>
+(second) <b>column</b>:<br>
   (second)      <b>column</b>:<br>
 <ul>
-                      <li>Prior to 1.3.14, Shorewall would detect the FIRST 
+  <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
- subnet    on  the   interface  (as shown by "ip addr show <i>interface</i>") 
+interface (as shown by "ip addr show <i>interface</i>") and would
- and would    masquerade   traffic  from that subnet. Any other subnets that 
+masquerade traffic from that subnet. Any other subnets that routed
- routed through    eth1 needed   their  own entry in /etc/shorewall/masq to
+through eth1 needed their own entry in /etc/shorewall/masq to be
- be masqueraded   or  to have SNAT   applied.</li>
+masqueraded or to have SNAT applied.</li>
-                      <li>Beginning with Shorewall 1.3.14, Shorewall uses 
+  <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
-the   firewall's      routing   table to determine ALL subnets routed through 
+routing table to determine ALL subnets routed through the named
-the  named interface.      Traffic   originating in ANY of those subnets is
+interface. Traffic originating in ANY of those subnets is
 masqueraded or has SNAT applied.</li>
 </ul>
-                    You will need to make a change to your configuration
+You will need to make a change to your configuration
 if:<br>
 <ol>
-                      <li>You have one or more entries in /etc/shorewall/masq 
+  <li>You have one or more entries in /etc/shorewall/masq with an
-  with   an  interface    name in the SUBNET (second) column; and</li>
+interface name in the SUBNET (second) column; and</li>
  <li>That interface connects to more than one subnetwork.</li>
 </ol>
-                    Two examples:<br>
+Two examples:<br>
-                    <br>
+<br>
-                     <b>Example 1</b> -- Suppose that your current config 
+&nbsp;<b>Example 1</b> -- Suppose that your current config is as
-is  as  follows:<br>
+follows:<br>
-                       <br>
+&nbsp;&nbsp; <br>
-                  
+<pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.10.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24&nbsp; scope link<br>	192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254<br>	[root@gateway test]#</pre>
-<pre>	[root@gateway test]# cat /etc/shorewall/masq<br>	#INTERFACE              SUBNET                  ADDRESS<br>	eth0                    eth2                    206.124.146.176<br>	eth0                    192.168.10.0/24         206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br>	[root@gateway test]# ip route show dev eth2<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br>	[root@gateway test]#</pre>
+<blockquote>In this case, the second entry in /etc/shorewall/masq is no
-                  
+longer required.<br>
-<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer 
+</blockquote>
-         required.<br>
+<b>Example 2</b>-- What if your current configuration is like this?<br>
-                    </blockquote>
+<pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS	<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24&nbsp; scope link<br>	192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254	<br>	[root@gateway test]#</pre>
-                    <b>Example 2</b>-- What if your current configuration 
+<blockquote>In this case, you would want to change the entry in
-is  like   this?<br>
+/etc/shorewall/masq to:<br>
-                  
+</blockquote>
-<pre>	[root@gateway test]# cat /etc/shorewall/masq	<br>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    eth2                    206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	<br>	[root@gateway test]# ip route show dev eth2	<br>	192.168.1.0/24  scope link<br>	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	<br>	[root@gateway test]#</pre>
+<pre>	#INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS	<br>	eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
-                  
+<img src="images/BD21298_3.gif" alt="" width="13" height="13">
-<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq 
+&nbsp;&nbsp;&nbsp; Version 1.3.14 also introduced simplified ICMP
-         to:<br>
+echo-request (ping) handling. The option OLD_PING_HANDLING=Yes in
-                    </blockquote>
+/etc/shorewall/shorewall.conf is used to specify that the old
-                  
+(pre-1.3.14) ping handling is to be used (If the option is not set in
-<pre>	#INTERFACE              SUBNET                  ADDRESS	<br>	eth0                    192.168.1.0/24          206.124.146.176<br>	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
+your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes is
-                    <img src="images/BD21298_3.gif" alt="" width="13"
+assumed). I don't plan on supporting the old handling indefinitely so I
- height="13">
+urge current users to migrate to using the new handling as soon as
-                       Version 1.3.14 also introduced simplified ICMP echo-request 
+possible. See the <a href="ping.html">'Ping' handling documentation</a>
-    (ping)    handling.  The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf 
+for details.<br>
        is used  to specify that the old (pre-1.3.14) ping handling is to 
 be   used     (If the option is not set in your /etc/shorewall/shorewall.conf 
  then OLD_PING_HANDLING=Yes      is assumed). I don't plan on supporting 
 the  old handling indefinitely  so   I urge current users to migrate to using 
 the new handling as soon as  possible.    See the <a href="ping.html">'Ping' 
 handling documentation</a>  for details.<br>
 <h3>Version 1.3.10</h3>
-                     If you have installed the 1.3.10 Beta 1 RPM and are
+If you have installed the 1.3.10 Beta 1 RPM and are
 now upgrading to version 1.3.10, you will need to use the '--force'
 option:<br>
-                     <br>
+<br>
 <blockquote>
-  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
+  <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm&nbsp;</pre>
-                     </blockquote>
+</blockquote>
 <h3>Version &gt;= 1.3.9</h3>
-                       The 'functions' file has moved to /usr/lib/shorewall/functions. 
+The 'functions' file has moved to /usr/lib/shorewall/functions. If you
-      If  you   have  an application that uses functions from that file, your
+have an application that uses functions from that file, your
-    application     will need to be changed to reflect this change of location.<br>
+application will need to be changed to reflect this change of location.<br>
 <h3>Version &gt;= 1.3.8</h3>
-                  
+<p>If you have a pair of firewall systems configured for failover or if
-<p>If you have a pair of firewall systems configured for            failover 
+you have asymmetric routing, you will need to modify your firewall
-            or if you have asymmetric routing, you will need to modify   
+setup slightly under Shorewall versions &gt;= 1.3.8. Beginning with
-                      your firewall setup slightly under Shorewall      
+version 1.3.8, you must set NEWNOTSYN=Yes in your
-                      versions &gt;= 1.3.8. Beginning with version 1.3.8, 
+/etc/shorewall/shorewall.conf file.</p>
                                    you must set NEWNOTSYN=Yes in your   
                            /etc/shorewall/shorewall.conf file.</p>
 <h3>Version &gt;= 1.3.7</h3>
-                  
+<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to
-<p>Users specifying ALLOWRELATED=No in                                /etc/shorewall.conf 
+include the following rules in their /etc/shorewall/icmpdef file
-            will need to include the                                following 
+(creating this file if necessary):</p>
    rules      in  their /etc/shorewall/icmpdef   file (creating       this 
  file if necessary):</p>
 <pre>	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br>	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
-                  
+<p>Users having an /etc/shorewall/icmpdef file may remove the ".
-<p>Users having an /etc/shorewall/icmpdef file may remove the ".   /etc/shorewall/icmp.def" 
+/etc/shorewall/icmp.def" command from that file since the icmp.def file
-            command from that file since the icmp.def file is now   empty.</p>
+is now empty.</p>
 <h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
 <p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
 <ol>
-                                                          <li>Be sure you 
+  <li>Be sure you have a backup -- you will need to transcribe any
-have   a  backup    --  you   will  need                                 
+Shorewall configuration changes that you have made to the new
-to transcribe    any  Shorewall   configuration                         
+configuration.</li>
-          changes    that  you have made   to the new                   
+  <li>Replace the shorwall.lrp package provided on the Bering floppy
-              configuration.</li>
+with the later one. If you did not obtain the later version from
-                                                          <li>Replace the 
+Jacques's site, see additional instructions below.</li>
-shorwall.lrp       package     provided  on                              
+  <li>Edit the /var/lib/lrpkg/root.exclude.list file and remove the
-   the Bering  floppy     with the    later one.  If you did            
+/var/lib/shorewall entry if present. Then do not forget to backup
-                     not   obtain  the later   version from Jacques's   site,
+root.lrp !</li>
 see additional    instructions   below.</li>
                                                          <li>Edit the /var/lib/lrpkg/root.exclude.list 
                                             file and remove the /var/lib/shorewall 
          entry  if                                  present. Then do not 
 forget       to   backup  root.lrp !</li>
 </ol>
-                  
+<p>The .lrp that I release isn't set up for a two-interface firewall
-<p>The .lrp that I release isn't set up for a two-interface firewall like 
+like Jacques's. You need to follow the <a href="two-interface.htm">instructions
-              Jacques's. You need to follow the <a
+for setting up a two-interface firewall</a> plus you also need to add
- href="two-interface.htm">instructions           for   setting up a two-interface 
+the following two Bering-specific rules to /etc/shorewall/rules:</p>
  firewall</a> plus you also need  to   add    the  following   two Bering-specific 
  rules to /etc/shorewall/rules:</p>
 <blockquote>
  <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
-                           </blockquote>
+</blockquote>
 <h3 align="left">Version 1.3.6 and 1.3.7</h3>
 <p align="left">If you have a pair of firewall systems configured for
-     failover or if you have asymmetric routing, you will need to modify
+failover or if you have asymmetric routing, you will need to modify
-                   your firewall setup slightly under Shorewall versions
+your firewall setup slightly under Shorewall versions
 1.3.6 and 1.3.7</p>
 <ol>
  <li>
-               
+    <p align="left">Create the file /etc/shorewall/newnotsyn and in it
-    <p align="left">Create the file /etc/shorewall/newnotsyn and in it add 
+add the following rule<br>
                       the following rule<br>
    <br>
    <font face="Courier">run_iptables -A
 newnotsyn -j RETURN # So that the connection tracking
 table can be rebuilt<br>
-                                                                        
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
 # from non-SYN packets after takeover.<br>
-                           </font>  </p>
+&nbsp;</font> </p>
  </li>
  <li>
    <p align="left">Create /etc/shorewall/common (if you don't already
-       have that file) and include the following:<br>
+have that file) and include the following:<br>
    <br>
    <font face="Courier">run_iptables -A
 common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
 #Accept Acks to rebuild connection<br>
-                                                                                              
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
-                     #tracking table. <br>
+#tracking table. <br>
-                                    . /etc/shorewall/common.def</font> </p>
+. /etc/shorewall/common.def</font> </p>
  </li>
 </ol>
 <h3 align="left">Versions &gt;= 1.3.5</h3>
 <p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
-    supported. </p>
+supported. </p>
 <p align="left">Example 1:</p>
 <div align="left">
 <pre>	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all</pre>
-                           </div>
+</div>
 <p align="left">Must be replaced with:</p>
 <div align="left">
 <pre>	DNAT	net	loc:192.168.1.12:22	tcp	11111</pre>
-                           </div>
+</div>
 <div align="left">
 <p align="left">Example 2:</p>
-                         </div>
+</div>
 <div align="left">
 <pre>	ACCEPT	loc	fw::3128	tcp	80	-	all</pre>
-                           </div>
+</div>
 <div align="left">
 <p align="left">Must be replaced with:</p>
-                         </div>
+</div>
 <div align="left">
 <pre>	REDIRECT	loc	3128	tcp	80</pre>
-                           </div>
+</div>
 <h3 align="left">Version &gt;= 1.3.2</h3>
-                  
+<p align="left">The functions and versions files together with the
-<p align="left">The functions and versions files together with the      'firewall'
+'firewall' symbolic link have moved from /etc/shorewall to
-    symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 
+/var/lib/shorewall. If you have applications that access these files,
-                  If you have applications that access these files, those
+those applications should be modified accordingly.</p>
- applications                    should be modified accordingly.</p>
+<p><font size="2"> Last updated 10/30/2003 - <a href="support.htm">Tom
 <p><font size="2">  Last updated 6/29/2003 -   <a href="support.htm">Tom
 Eastep</a></font> </p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-              © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
+© <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
-   </p>
+</p>
   <br>
  <br>
 <br>
 </body>
 </html>
--- a/Shorewall-docs/useful_links.html
+++ b/Shorewall-docs/useful_links.html
@ -2,65 +2,39 @@
 <html>
 <head>
  <title>Useful Links</title>
  <meta http-equiv="content-type"
 content="text/html; charset=ISO-8859-1">
  <meta name="author" content="Tom Eastep">
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Useful Links &nbsp; &nbsp;</h1>
 <table border="0" cellpadding="0" cellspacing="0"
 style="border-collapse: collapse;" width="100%" id="AutoNumber4"
 bgcolor="#3366ff" height="90">
      <tbody>
        <tr>
          <td width="100%">       
      <h1 align="center"><font color="#ffffff">Useful Links</font><br>
          </h1>
         <br>
          </td>
       </tr>
  </tbody> 
 </table>
    &nbsp;&nbsp; &nbsp;<br>
 <h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
 src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
- height="33" hspace="4" align="middle" border="0">
+ height="33" hspace="4" align="middle" border="0"> </a></h3>
   </a></h3>
 <h3>Linux Advanced Routing and Traffic Control Howto: <a
 href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
 <h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
 <h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
 src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
- align="middle" hspace="4" border="0">
+ align="middle" hspace="4" border="0"> </a></h3>
   </a></h3>
 <h3>Bering LEAF Distribution: <a
- href="http://leaf.sourceforge.net/devel/jnilo">       http://leaf.sourceforge.net/devel/jnilo</a></h3>
+ href="http://leaf.sourceforge.net/devel/jnilo">
-  
+http://leaf.sourceforge.net/devel/jnilo</a></h3>
 <h3>Debian apt-get sources for Shorewall: <a
- href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
+ href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian<img
 src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
- align="middle" hspace="4" border="0">
+ align="middle" hspace="4" border="0"> <img src="images/debian.jpg"
-  <img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
+ alt="Debian Logo" width="88" height="30" align="middle" border="0"> </a><br>
- align="middle" border="0">
+</h3>
-   </a><br>
+<br>
-   </h3>
+<font size="2">Last updated 11/20/2003 - <a href="support.htm">Tom
-   <br>
+Eastep</a></font>
   <font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font> 
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
- &copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
+&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
-     <br>
+<br>
-    <br>
+<br>
-   <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>
--- a/Shorewall-docs/whitelisting_under_shorewall.htm
+++ b/Shorewall-docs/whitelisting_under_shorewall.htm
@ -1,48 +1,32 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
 <html>
 <head>
  <meta http-equiv="Content-Language" content="en-us">
  <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
  <meta name="ProgId" content="FrontPage.Editor.Document">
  <meta http-equiv="Content-Type"
 content="text/html; charset=windows-1252">
  <title>Whitelisting under Shorewall</title>
 </head>
-  <body>
+<body>
-  
+<h1 style="text-align: center;">Whitelisting under Shorewall<br>
-<table border="0" cellpadding="0" cellspacing="0"
+</h1>
- style="border-collapse: collapse;" bordercolor="#111111" width="100%"
+<p align="left">For a brief time, the 1.2 version of Shorewall
- id="AutoNumber1" bgcolor="#3366ff" height="90">
+supported
-     <tbody>
+an /etc/shorewall/whitelist file. This file was intended to contain a
-      <tr>
+list
-       <td width="100%">       
+of IP addresses of hosts whose POLICY to all zones was ACCEPT. The
-      <h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
+whitelist file was implemented as a stop-gap measure until the
-       </td>
+facilities necessary for implementing white lists using zones was in
-     </tr>
+place. As of Version 1.3 RC1, those facilities were available.</p>
-    
+<p align="left">White lists are most often used to give special
-  </tbody> 
+privileges to a set&nbsp; of hosts within an organization. Let us
-</table>
+suppose that we have the following environment:</p>
 <p align="left">For a brief time, the 1.2 version of Shorewall supported
 an  /etc/shorewall/whitelist file. This file was intended to contain a list
 of IP  addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist 
 file was  implemented as a stop-gap measure until the facilities necessary 
 for  implementing white lists using zones was in place. As of Version 1.3 
 RC1, those  facilities were available.</p>
 <p align="left">White lists are most often used to give special privileges 
 to a  set  of hosts within an organization. Let us suppose that we have the 
 following environment:</p>
 <ul>
-     <li>A firewall with three interfaces -- one to the internet, one   
+  <li>A firewall with three interfaces -- one to the internet, one to a
-to a local network and one to a DMZ.</li>
+local network and one to a DMZ.</li>
-     <li>The local network uses SNAT to the internet and is comprised   
+  <li>The local network uses SNAT to the internet and is comprised of
-of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
+the class B network 10.10.0.0/16 (Note: While this example uses an RFC
 1918 local network, the technique described here in no way depends on
 that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
 NAT, etc.).</li>
@ -52,15 +36,11 @@ in the class C network 10.10.10.0/24</li>
 other hosts.</li>
  <li>We want the network operations staff to bypass the transparent
 HTTP proxy running on our firewall.</li>
 </ul>
-  
+<p align="left">The basic approach will be that we will place the
-<p align="left">The basic approach will be that we will place the operations 
+operations staff's class C in its own zone called <b>ops</b>. Here are
- staff's class C in its own zone called <b>ops</b>. Here are the appropriate 
+the appropriate configuration files:</p>
 configuration files:</p>
 <h2 align="left">Zone File</h2>
 <blockquote>
  <table border="2">
    <tbody>
@ -89,16 +69,13 @@ HTTP proxy running on our firewall.</li>
        <td>DMZ</td>
        <td>Demilitarized zone</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>The <b>ops </b>zone has been added to the standard 3-zone zones
-<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- 
+file -- since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u>
-since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
+<b>loc</b>.</p>
 <h2>Interfaces File</h2>
 <blockquote>
  <table border="2">
    <tbody>
@ -125,20 +102,15 @@ since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b
        <td>-</td>
        <td>eth2</td>
        <td>10.10.255.255</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
 <p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
 we don't specify a zone for it here.</p>
 <h2>Hosts File</h2>
-  
+<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">           
                                                     </font>    
  <table border="2">
    <tbody>
      <tr>
@ -155,24 +127,22 @@ we  don't specify a zone for it here.</p>
      <tr>
        <td>loc</td>
        <td>eth2:0.0.0.0/0</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall
-<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
+is stopped,
-only the hosts in the <b>ops</b> zone will be allowed to access the  firewall
+only the hosts in the <b>ops</b> zone will be allowed to access the
-and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than  10.10.0.0/16
+firewall
 and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
 10.10.0.0/16
 so that the limited broadcast address (255.255.255.255) falls into that
-zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
+zone. If I used 10.10.0.0/16 then I would have to have a separate entry
- that special address.</p>
+for that special address.</p>
 <h2>Policy File</h2>
-  
+<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
 <blockquote>   <font face="Century Gothic, Arial, Helvetica">           
                                                         </font>    
  <table border="2">
    <tbody>
      <tr>
@ -186,49 +156,44 @@ zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
        <td><font color="#0000ff">ops</font></td>
        <td><font color="#0000ff">all</font></td>
        <td><font color="#0000ff">ACCEPT</font></td>
-           <td> </td>
+        <td>&nbsp;</td>
-           <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td><font color="#0000ff">all</font></td>
        <td><font color="#0000ff">ops</font></td>
        <td><font color="#0000ff">CONTINUE</font></td>
-           <td> </td>
+        <td>&nbsp;</td>
-           <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>loc</td>
        <td>net</td>
        <td>ACCEPT</td>
-    <td> </td>
+        <td>&nbsp;</td>
-           <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>net</td>
        <td>all</td>
        <td>DROP</td>
        <td>info</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>all</td>
        <td>all</td>
        <td>REJECT</td>
        <td>info</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>Two entries for <b>ops</b> have been added to the standard 3-zone
-<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy 
+policy file.<font color="#ff0000"><b></b></font></p>
 file.<font color="#ff0000"><b></b></font></p>
 <h2>Rules File</h2>
 <blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
  <table border="2">
    <tbody>
      <tr>
@ -237,11 +202,11 @@ file.<font color="#ff0000"><b></b></font></p>
        <td><b>DEST</b></td>
        <td><b> PROTO</b></td>
        <td><b>DEST<br>
-     PORT(S)</b></td>
+PORT(S)</b></td>
        <td><b>SOURCE<br>
-            PORT(S)</b></td>
+PORT(S)</b></td>
        <td><b>ORIGINAL<br>
-            DEST</b></td>
+DEST</b></td>
      </tr>
      <tr>
        <td>REDIRECT</td>
@ -249,29 +214,25 @@ file.<font color="#ff0000"><b></b></font></p>
        <td>3128</td>
        <td>tcp</td>
        <td>http</td>
-            <td> </td>
+        <td>&nbsp;</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
      <tr>
        <td>...</td>
-            <td> </td>
+        <td>&nbsp;</td>
-            <td> </td>
+        <td>&nbsp;</td>
-            <td> </td>
+        <td>&nbsp;</td>
-            <td> </td>
+        <td>&nbsp;</td>
-            <td> </td>
+        <td>&nbsp;</td>
-            <td> </td>
+        <td>&nbsp;</td>
      </tr>
    </tbody>
  </table>
-   </blockquote>
+</blockquote>
-  
+<p>This is the rule that transparently redirects web traffic to the
-<p>This is the rule that transparently redirects web traffic to the transparent 
+transparent proxy running on the firewall. The SOURCE column explicitly
- proxy running on the firewall. The SOURCE column explicitly excludes the 
+excludes the <b>ops</b> zone from the rule.</p>
 <b>ops</b>  zone from the rule.</p>
 <h2>Routestopped File</h2>
 <blockquote>
  <table border="2">
    <tbody>
@ -291,19 +252,16 @@ file.<font color="#ff0000"><b></b></font></p>
        </td>
        <td>10.10.10.0/24</td>
      </tr>
    </tbody>
  </table>
  <br>
- </blockquote>
+</blockquote>
 <p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
-    </font></p>
+</font></p>
 <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
-   © <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
+© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
-                               <br>
+<br>
-  <br>
+<br>
- <br>
+<br>
 </body>
 </html>