From c5f747624be2d66e135e4e81aa650e40eaf10ffa Mon Sep 17 00:00:00 2001
From: frannie <frannie@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sun, 14 Mar 2004 18:16:35 +0000
Subject: [PATCH] Baseline 2.0 Sample Files Revision 1.0

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1187 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Samples/one-interface/interfaces      | 21 +++---
 Samples/one-interface/policy          | 25 ++++---
 Samples/one-interface/rules           | 86 ++++++++++++-------------
 Samples/one-interface/zones           |  2 +-
 Samples/three-interfaces/interfaces   | 22 +++++--
 Samples/three-interfaces/masq         |  2 +-
 Samples/three-interfaces/policy       | 20 ++++--
 Samples/three-interfaces/routestopped |  2 +-
 Samples/three-interfaces/rules        | 93 +++++++++++++--------------
 Samples/three-interfaces/zones        |  2 +-
 Samples/two-interfaces/interfaces     | 28 +++++---
 Samples/two-interfaces/masq           |  2 +-
 Samples/two-interfaces/policy         | 20 ++++--
 Samples/two-interfaces/routestopped   |  2 +-
 Samples/two-interfaces/rules          | 90 ++++++++++++--------------
 Samples/two-interfaces/zones          |  2 +-
 16 files changed, 223 insertions(+), 196 deletions(-)

diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces
index 84118536b..286aa2517 100755
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@@ -1,5 +1,5 @@
 #	
-# 	Shorewall 1.4.8a  -- Sample Interface File For One Interface
+# 	Shorewall 2.0  -- Sample Interface File For One Interface
 #
 # 	/etc/shorewall/interfaces
 #
@@ -24,7 +24,8 @@
 #			want to make a entry that applies to all PPP
 #			interfaces, use 'ppp+'
 #
-#			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
+#			There is no need to define the loopback interface (lo)
+#			in this file.
 #
 #	BROADCAST	The broadcast address for the subnetwork to which the
 #			interface belongs. For P-T-P interfaces, this
@@ -65,11 +66,6 @@
 #					interface (anti-spoofing measure). This
 #					option can also be enabled globally in
 #					the /etc/shorewall/shorewall.conf file.
-#			dropunclean
-#					Logs and drops mangled/invalid packets
-#			logunclean
-#					Logs mangled/invalid packets but does
-#					not drop them.
 #			blacklist
 #					Check packets arriving on this interface
 #					against the /etc/shorewall/blacklist
@@ -118,6 +114,15 @@
 #					the interface can respond to ARP who-has requests
 #					for IP addresses on any of the firewall's interface.
 #					The interface must be up when shorewall is started.
+#			nosmurfs
+#					Filter packers for smurfs (Packets with a broadcast
+#					address as the source).
+#			detectnets
+#					Automatically taylors the zone named in the ZONE
+#					column to include only those hosts routed through
+#					the interface.
+#
+#	WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
@@ -147,5 +152,5 @@
 #			net	ppp0		-
 ##############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net	eth0		detect		norfc1918,routefilter,dhcp
+net	eth0		detect		norfc1918,routefilter,dhcp,tcpflags
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy
index 81d41e425..d38b23e49 100644
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -1,13 +1,14 @@
 #	
-# 	Shorewall 1.4.8a -- Sample Policy File For One Interface
+# 	Shorewall 2.0 -- Sample Policy File For One Interface
 #
 # 	/etc/shorewall/policy
 #
+#		THE ORDER OF ENTRYS IN THIS FILE IS IMPORTANT!
+#
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/shorewall/rules file or from the
-#	/etc/shorewall/common[.def] file. For each source/destination pair, the
-#	file is processed in order until a match is found ("all" will match
-#	any client or server).
+#	don't get a match from the /etc/shorewall/rules file For each 
+#	source/destination pair, the file is processed in order until a 
+#	match is found ("all" will match any client or server).
 #
 # Columns are:
 #
@@ -17,10 +18,6 @@
 #	DEST		Destination zone. Must be the name of a zone defined
 #			in /etc/shorewall/zones, $FW or "all"
 #
-#			WARNING: Firewall->Firewall policies are not allowed; if
-#			you have a policy where both SOURCE and DEST are $FW,
-#			Shorewall will not start!
-#
 #	POLICY		Policy if no match from the rules file is found. Must
 #			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE"
 #			
@@ -45,7 +42,15 @@
 #				and you may not have any rules with 
 #				this SOURCE and DEST in the /etc/shorewall/rules
 #				file. If such a packet is received the result
-#				is undefined.
+#				is undefined. NONE may not be used if the
+#				SOURCE or DEST columns contain the firewall
+#				zone ($FW) or "all".
+#
+#			If this column contains ACCEPT, DROP or REJECT and a
+#			corresonding common action is defined in
+#			/etc/shorewall/actions (or /usr/share/shorewall/actions.std)
+#			then that action will be invoked before the policy named in
+#			this column is inforced. 
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules
index 7ef9beac0..c7c1b2ad0 100755
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -1,10 +1,13 @@
 #	
-# 	Shorewall version 1.4.8a - Sample Rules File For One Interface
+# 	Shorewall version 2.0 - Sample Rules File For One Interface
 #
 # 	/etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking.
+#	For any particular (source,dest) pair of zones, the rules are evaluated
+#	in the order in which they appear in this file and the first match is 
+#	the one that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
 #	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@@ -12,11 +15,14 @@
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
 #
+#	WARNING:	If you masquerade or use SNAT from a local system to the internet
+#			you cannot use a ACCEPT rule to allow traffic from the internet to
+#			that system. You *must* use a DNAT rule instead.	
 # Columns are:
 #
 #
 #	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
-#				REDIRECT-, CONTINUE, LOG or QUEUE.
+#				REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -56,34 +62,21 @@
 #						Simply log the packet and continue.
 #				QUEUE     	
 #						Queue the packet to a user-space
-#						application such as p2pwall.
+#						application such as ftwall.
+#						(http://p2pwall.sf.net).
+#				<action>
+#						The name of an action defined in 
+#						/etc/shorewall/actions or in 
+#						/usr/share/shorewall/actions.std.
 #
-#			You may rate-limit the rule by optionally following 
-#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
-#				
-#				< <rate>/<interval>[:<burst>] >
-#
-#			Where <rate> is the number of connections per 
-#			<interval> ("sec" or "min") and <burst> is the largest
-#			burst permitted. If no <burst> is given, a value of 5 
-#			is assumed. There may be no whitespace embedded in the
-#			specification.
-#
-#		Example:
-#				ACCEPT<10/sec:20>
-#
-#			The ACTION (and rate limit) may optionally be followed by ":"
-#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
-#			This causes the packet to be logged at the specified level.
-#
-#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
-#	see the RATE LIMIT column below. If you specify a value in that column you must include
-#	a rate limit in the action column.
-#
-#			You may also specify ULOG (must be in upper case) as a 
-#			log level. This will log to the ULOG target for routing
-#			to a separate log through use of ulogd.
-#			(http://www.gnumonks.org/projects/ulogd).
+#			The ACTION may optionally be followed by ":" and a syslog
+#			log level (e.g, REJECT:info or DNAT:debug). This causes the 
+#			packet to be logged at the specified level.
+#		
+#			You may also specify ULOG (Must be in upper case) as a log
+#			level. This will log to the ULOG target for routing to a
+#			seperate log through the use of ulogd.
+#			(http://www.gnumonks.org/projects/ulogd).						
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
@@ -243,20 +236,21 @@
 #			If you place a rate limit in this column, you may not place
 #			a similiar limit in the ACTION column.
 #
-#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
-#			itself and the ACTION is ACCEPT, DROP or REJECT.
+#	USER/GROUP
+#			This column may only be non-empty if the SOURCE is the firewall itself.
 #
-#			The column may contain a user set name defined in the 
-#			/etc/shorewall/usersets file or it may contain:
+#			This column may contain:
 #
-#			[<user name or number>]:[<group name or number>]
+#			[!][<user name or number>][:<group name or number>]
 #
-#			When this column is non-empty, the rule applies only if the 
-#			program generating the output is running under the effective
-#			<user>(s) and/or <group>(s) specified. When a user set name is 
-#			given, a log level may not be present in the ACTION column;
-#			logging for such rules is controlled by user set's entry in
-#			/etc/shorewall/usersets.
+#			When this column is non-empty, the rule applies only if the program
+#			generating the output is running under the effective <user> and/or
+#			<group> specified (or is NOT running under that id if "!' is given).
+#
+#		Examples:
+#			joe	# program must be run by joe
+#			:kids	# program must be run by a member of the 'kids' group.
+#			!:kids	# program must not be run by a member of the 'kids' group.
 #
 #	Note: Most one interface rules are of the type ACCEPT, REDIRECT or REJECT.
 #	DNAT, DNAT-, CONTINUE rules are for multiple interface firewall.
@@ -265,18 +259,18 @@
 #
 #	Example: Accept www requests to the one interface server.
 #
-#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#					PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#					PORT	PORT(S)	DEST		LIMIT	GROUP
 #	ACCEPT		net	fw	tcp	http
 #
 #	Example: Redirect port 88 Internet traffic to fw port 80
-#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE  ORIGINAL	RATE	USER
-#	#					PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE  ORIGINAL	RATE	USER/
+#	#					PORT	PORT(S)	DEST		LIMIT	GROUP
 #	REDIRECT	net	80	tcp	88
 #
 ##############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER					
-#					PORT	PORT(S)	DEST		LIMIT	SET
+#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/					
+#					PORT	PORT(S)	DEST		LIMIT	GROUP
 ACCEPT		net	fw	icmp	8
 ACCEPT		fw	net	icmp
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones
index 850cb3bcc..92766c14c 100644
--- a/Samples/one-interface/zones
+++ b/Samples/one-interface/zones
@@ -1,5 +1,5 @@
 #
-#	Shorewall 1.4.8a -- Sample Zone File For One Interface
+#	Shorewall 2.0 -- Sample Zone File For One Interface
 #	/etc/shorewall/zones
 #
 #	This file determines your network zones. Columns are:
diff --git a/Samples/three-interfaces/interfaces b/Samples/three-interfaces/interfaces
index 14f9121dc..b7966b7b4 100755
--- a/Samples/three-interfaces/interfaces
+++ b/Samples/three-interfaces/interfaces
@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4.8a -- Sample Interface File For Three Interfaces
+#	Shorewall 2.0 -- Sample Interface File For Three Interfaces
 #
 # 	/etc/shorewall/interfaces
 #
@@ -22,7 +22,8 @@
 #			an alias (e.g., eth0:0) here; see
 #			http://www.shorewall.net/FAQ.htm#faq18
 #
-#			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
+#			There is no need to define the loopback interface (lo)
+#			in this file.
 #
 #	BROADCAST
 #			The broadcast address for the subnetwork to which the
@@ -65,11 +66,6 @@
 #				interface (anti-spoofing measure). This
 #				option can also be enabled globally in
 #				the /etc/shorewall/shorewall.conf file.
-#		dropunclean
-#				Logs and drops mangled/invalid packets
-#		logunclean
-#				Logs mangled/invalid packets but does
-#				not drop them.
 #		blacklist
 #				Check packets arriving on this interface
 #				against the /etc/shorewall/blacklist
@@ -118,6 +114,18 @@
 #				the interface can respond to ARP who-has requests
 #				for IP addresses on any of the firewall's interface.
 #				The interface must be up when shorewall is started.
+#		nosmurfs
+#				Filter packets for smurfs (packets with a broadcast
+#				address as the source).
+#
+#				Smurfs will be optionally logged based on the setting
+#				of SMURF_LOG_LEVEL in shorewall.conf. After logging, 
+#				the packets are dropped.
+#		detectnets
+#				Automatically taylors the zone named in the ZONE column
+#				to include only those hosts routed through the interface.
+#
+#	WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
 #
 #		The order in which you list the options is not
 #		significant but the list should have no embedded white
diff --git a/Samples/three-interfaces/masq b/Samples/three-interfaces/masq
index 4bee8dd80..bd378fc19 100755
--- a/Samples/three-interfaces/masq
+++ b/Samples/three-interfaces/masq
@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4.8a - Sample Masquerade file For Three Interfaces
+#	Shorewall 2.0 - Sample Masquerade file For Three Interfaces
 #
 #	etc/shorewall/masq
 #
diff --git a/Samples/three-interfaces/policy b/Samples/three-interfaces/policy
index 4ea2ebd96..b80664bf8 100644
--- a/Samples/three-interfaces/policy
+++ b/Samples/three-interfaces/policy
@@ -1,13 +1,14 @@
 #	
-# 	Shorewall 1.4.8a -- Sample Policy File For Three Interfaces
+# 	Shorewall 2.0 -- Sample Policy File For Three Interfaces
 #
 # 	/etc/shorewall/policy
 #
+#		THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
+#
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/shorewall/rules file or from the
-#	/etc/shorewall/common[.def] file. For each source/destination pair, the
-#	file is processed in order until a match is found ("all" will match
-#	any client or server).
+#	don't get a match from the /etc/shorewall/rules file For each 
+#	source/destination pair, the file is processed in order until a 
+#	match is found ("all" will match any client or server).
 #
 # Columns are:
 #
@@ -45,7 +46,14 @@
 #				and you may not have any rules with
 #				this SOURCE and DEST in the /etc/shorewall/rules
 #				file. If such a packet is received the result
-#				is undefined.
+#				is undefined. NONE may not be used if the 
+#				SOURCE or DEST Columns contain the firewall
+#				zone ($FW) or "all".
+#
+#			If This column contains ACCEPT, DROP or REJECT and a
+#			corresponding common action is defined in /etc/shorewall/actions
+#			(or /usr/share/shorewall/actions.std) then that action will be
+#			invoked before the policy named in this column is inforced.
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
diff --git a/Samples/three-interfaces/routestopped b/Samples/three-interfaces/routestopped
index a0ce41153..da5adb3dd 100644
--- a/Samples/three-interfaces/routestopped
+++ b/Samples/three-interfaces/routestopped
@@ -1,6 +1,6 @@
 ##############################################################################
 #
-#	Shorewall 1.4.8a	--	Sample Routestopped File For Three Interfaces.
+#	Shorewall 2.0	--	Sample Routestopped File For Three Interfaces.
 #
 #	/etc/shorewall/routestopped
 #
diff --git a/Samples/three-interfaces/rules b/Samples/three-interfaces/rules
index 44f55c0db..d8440327e 100755
--- a/Samples/three-interfaces/rules
+++ b/Samples/three-interfaces/rules
@@ -1,10 +1,13 @@
 #	
-# 	Shorewall version 1.4.8a -- Sample Rules File For Three Interfaces
+# 	Shorewall version 2.0 -- Sample Rules File For Three Interfaces
 #
 # 	/etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
-#	responses are automatically allowed using connection tracking.
+#	responses are automatically allowed using connection tracking. For any
+#	particular (source,dest) pair of zones, the rules are evaluated in the
+#	order in which they appear in this file and the first mactch is the one
+#	that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
 #	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@@ -12,11 +15,15 @@
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
 #
+#	WARNING: If you masquerade or use SNAT from a local system to the internet.
+#		 you cannot use an ACCEPT rule to allow traffic from the internet to
+#		 that system. You "must" use a DNAT rule instead.
+#
 # Columns are:
 #
 #
 #	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
-#				REDIRECT-, CONTINUE, LOG Or QUEUE.
+#				REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
 #
 #				ACCEPT
 #						Allow the connection request.
@@ -56,29 +63,16 @@
 #						Simply log the packet and continue.
 #				QUEUE
 #						Queue the packet to a user-space
-#						application such as p2pwall.
+#						application such as ftwall.
+#						(http://p2pwall.sf.net).
+#				<action>
+#						The name of an action defined in
+#						/etc/shorewall/actions or in
+#						/usr/share/shorewall/actions.std.
 #
-#			You may rate-limit the rule by optionally following 
-#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
-#
-#				< <rate>/<interval>[:<burst>] >
-#
-#			Where <rate> is the number of connections per 
-#			<interval> ("sec" or "min") and <burst> is the largest
-#			burst permitted. If no <burst> is given, a value of 5 
-#			is assumed. There may be no whitespace embedded in the
-#			specification.
-#
-#		Example:
-#			ACCEPT<10/sec:20>
-#
-#			The ACTION (and rate limit) may optionally be followed by ":"
-#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
-#			This causes the packet to be logged at the specified level.
-#
-#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
-#	see the RATE LIMIT column below. If you specify a value in that column you must include
-#	a rate limit in the action column.
+#			The ACTION may optionally be followed by ":" and a syslog log
+#			level (e.g, REJECT:info or DNAT:debug). This causes the packet
+#			to be logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a 
 #			log level. This will log to the ULOG target for routing
@@ -242,61 +236,62 @@
 #
 #			If you place a rate limit in this column, you may not place
 #			a similiar limit in the ACTION column.
+#	
+#	USER/GROUP
+#			This column may only be non-empty if the SOURCE is the firewall itself.
 #
-#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
-#			itself and the ACTION is ACCEPT, DROP or REJECT.
+#			The column may contain:
+#	
+#			[!][<user name or number>][:<group name or number>]
 #
-#			The column may contain a user set name defined in the 
-#			/etc/shorewall/usersets file or it may contain:
+#			When this column is non-empty, the rule applies only if the program
+#			generating the output is running under the effective <user> and/or
+#			<group> specified (or is NOT running under that id if "!" is given).
 #
-#				[<user name or number>]:[<group name or number>]
-#
-#			When this column is non-empty, the rule applies only if the 
-#			program generating the output is running under the effective
-#			<user>(s) and/or <group>(s) specified. When a user set name is 
-#			given, a log level may not be present in the ACTION column;
-#			logging for such rules is controlled by user set's entry in
-#			/etc/shorewall/usersets.
+#		Examples:
+#			joe	# program must be run by joe.
+#			:kids	# program must be run by a member of the 'kids' group.
+#			!:kids	# program must not be run by a member of the 'kids' group.
 #
 #	Also by default all outbound loc -> net communications are allowed.
 #	You can change this behavior in the sample policy file.
 #
 #	Example:	Accept www requests to the firewall.
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	ACCEPT		net		fw		tcp	http
 #
 #	Example:	Accept SMTP requests from the Local Network to the Internet
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	ACCEPT		loc		net		tcp	smtp
 #
 #	Example:	Forward all ssh and http connection requests from the Internet
 #			to dmz system 192.168.2.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	DNAT		net		dmz:192.168.2.3	tcp	ssh,http
 #
 #	Example:	Redirect all locally-originating www connection requests to
 #			port 3128 on the firewall (Squid running on the firewall
 #			system) except when the destination address is 192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	REDIRECT	loc		3128		tcp	www	-	!192.168.2.2
 #
 #	Example:	All http requests from the Internet to address
 #			130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	DNAT		net		loc:192.168.1.3	tcp	80	-	130.252.100.69
 ##############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#							PORT	PORT(S)	DEST		LIMIT	SET
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #
 #	Accept DNS connections from the firewall to the Internet
 #
diff --git a/Samples/three-interfaces/zones b/Samples/three-interfaces/zones
index a8d5bed0c..81a827632 100644
--- a/Samples/three-interfaces/zones
+++ b/Samples/three-interfaces/zones
@@ -1,5 +1,5 @@
 #
-# 	Shorewall 1.4.8a -- Sample Zone File For Two Interfaces
+# 	Shorewall 2.0 -- Sample Zone File For Two Interfaces
 # 	/etc/shorewall/zones
 #
 # This file determines your network zones. Columns are:
diff --git a/Samples/two-interfaces/interfaces b/Samples/two-interfaces/interfaces
index 8af2aa1a4..8f401dc4a 100755
--- a/Samples/two-interfaces/interfaces
+++ b/Samples/two-interfaces/interfaces
@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4.8a -- Sample Interface File For Two Interfaces
+#	Shorewall 2.0 -- Sample Interface File For Two Interfaces
 #
 # 	/etc/shorewall/interfaces
 #
@@ -26,7 +26,8 @@
 #			want to make a entry that applies to all PPP
 #			interfaces, use 'ppp+'.
 #
-#			DO NOT DEFINE THE LOOPBACK INTERFACE (lo) IN THIS FILE.
+#			There is no need to defiane the loopback interface
+#			(lo) in this file.
 #
 #	BROADCAST
 #			The broadcast address for the subnetwork to which the
@@ -69,11 +70,6 @@
 #				interface (anti-spoofing measure). This
 #				option can also be enabled globally in
 #				the /etc/shorewall/shorewall.conf file.
-#		dropunclean
-#				Logs and drops mangled/invalid packets
-#		logunclean
-#				Logs mangled/invalid packets but does
-#				not drop them.
 #		blacklist
 #				Check packets arriving on this interface
 #				against the /etc/shorewall/blacklist
@@ -124,6 +120,20 @@
 #				the interface can respond to ARP who-has requests
 #				for IP addresses on any of the firewall's interface.
 #				The interface must be up when shorewall is started.
+#		nosmurfs
+#				Filter packets for smurfs (Packets with a broadcast
+#				address as the source).
+#
+#				Smurfs will be optionally logged based on the setting
+#				of SMURF_LOG_LEVEL in shorewall.conf. After logging
+#				the packets are dropped.
+#		
+#		detectnets
+#				Automatically taylors the zone named in the ZONE column
+#				to include only those hosts routed through the interface.
+#
+#	WARNING: DO NOT SET THE detectnets OPTION ON YOUR INTERNET INTERFACE!
+#
 #
 #		The order in which you list the options is not
 #		significant but the list should have no embedded white
@@ -151,6 +161,6 @@
 #
 ##############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS
-net	eth0		detect		dhcp,routefilter,norfc1918
-loc	eth1		detect
+net	eth0		detect		dhcp,routefilter,norfc1918,tcpflags
+loc	eth1		detect		tcpflags
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Samples/two-interfaces/masq b/Samples/two-interfaces/masq
index 2a55f7e89..3f25845c3 100755
--- a/Samples/two-interfaces/masq
+++ b/Samples/two-interfaces/masq
@@ -1,5 +1,5 @@
 #	
-#	Shorewall 1.4.8a - Sample Masquerade file For Two Interfaces
+#	Shorewall 2.0 - Sample Masquerade file For Two Interfaces
 #
 #	etc/shorewall/masq
 #
diff --git a/Samples/two-interfaces/policy b/Samples/two-interfaces/policy
index 4779830fc..4146b6926 100644
--- a/Samples/two-interfaces/policy
+++ b/Samples/two-interfaces/policy
@@ -1,13 +1,14 @@
 #	
-# 	Shorewall 1.4.8a -- Sample Policy File For Two Interfaces
+# 	Shorewall 2.0 -- Sample Policy File For Two Interfaces
 #
 # 	/etc/shorewall/policy
 #
+#			THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
+#
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/shorewall/rules file or from the
-#	/etc/shorewall/common[.def] file. For each source/destination pair, the
-#	file is processed in order until a match is found ("all" will match
-#	any client or server).
+#	don't get a match from the /etc/shorewall/rules file. For each 
+#	source/destination pair, the file is processed in order until a 
+#	match is found ("all" will match any client or server).
 #
 # Columns are:
 #
@@ -45,7 +46,14 @@
 #				and you may not have any rules with
 #				this SOURCE and DEST in the /etc/shorewall/rules
 #				file. If such a packet is received the result
-#				is undefined.
+#				is undefined. None may not be used if the SOURCE 
+#				or DEST columns contain the firewall zone ($FW)
+#				or "all"
+#
+#			If this column contains ACCEPT, DROP or REJECT and a
+#			corresponding common action is define in /etc/shorewall/actions
+#			(or /usr/share/shorewall/actions.std) then that column will be
+#			invoked before the policy named in this column is inforced.
 #				
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
diff --git a/Samples/two-interfaces/routestopped b/Samples/two-interfaces/routestopped
index 0afb0d55a..1b401b759 100644
--- a/Samples/two-interfaces/routestopped
+++ b/Samples/two-interfaces/routestopped
@@ -1,6 +1,6 @@
 ##############################################################################
 #
-#	Shorewall 1.4.8a	--	Sample Routestopped file for two interfaces.
+#	Shorewall 2.0	--	Sample Routestopped file for two interfaces.
 #
 #	/etc/shorewall/routestopped
 #
diff --git a/Samples/two-interfaces/rules b/Samples/two-interfaces/rules
index 8958880a9..95315f9e6 100755
--- a/Samples/two-interfaces/rules
+++ b/Samples/two-interfaces/rules
@@ -1,10 +1,13 @@
 #	
-# 	Shorewall version 1.4.8 - Sample Rules File For Two Interfaces
+# 	Shorewall version 2.0 - Sample Rules File For Two Interfaces
 #
 # 	/etc/shorewall/rules
 #
 #	Rules in this file govern connection establishment. Requests and
-#	responses are automatically allowed using connection tracking.
+#	responses are automatically allowed using connection tracking. For any
+#	particular (source,dest) pair of zones, the rules are evaluated in the
+#	order in which they appear in the file and the first match is the one
+#	that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
 #	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@@ -12,11 +15,15 @@
 #	given. Notice that no white space is permitted between "!" and the
 #	address/subnet.
 #
+#	WARNING: If you masquerade or use SNAT from a local system to the internet
+#		you cannot use a ACCEPT rule to allow traffic from the internet to
+#		that system. You "must" use a DNAT rule instead.
+#
 # Columns are:
 #
 #
 #	ACTION			ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
-#				REDIRECT-, CONTINUE, LOG Or QUEUE.
+#				REDIRECT-, CONTINUE, LOG, QUEUE or an <action>.
 #
 #				ACCEPT
 #						Allow the connection request
@@ -56,29 +63,16 @@
 #						Simply log the packet and continue.
 #				QUEUE   
 #						Queue the packet to a user-space
-#						application such as p2pwall.
+#						application such as ftwall.
+#						(http://p2pwall.sf.net).
+#				<action>	
+#						The name of an action defined in
+#						/etc/shorewall/actions or in
+#						/usr/share/shorewall/actions.std.
 #
-#			You may rate-limit the rule by optionally following 
-#			ACCEPT, DNAT[-], REDIRECT[-] or LOG with
-#
-#				< <rate>/<interval>[:<burst>] >
-#
-#			Where <rate> is the number of connections per 
-#			<interval> ("sec" or "min") and <burst> is the largest
-#			burst permitted. If no <burst> is given, a value of 5 
-#			is assumed. There may be no whitespace embedded in the
-#			specification.
-#
-#		Example:
-#				ACCEPT<10/sec:20>
-#
-#			The ACTION (and rate limit) may optionally be followed by ":"
-#			and a syslog log level (e.g, REJECT:info or DNAT<4/sec:8>:debugging)
-#			This causes the packet to be logged at the specified level.
-#
-#	NOTE: For those of you who prefer to place the rate limit in a separate column, 
-#	see the RATE LIMIT column below. If you specify a value in that column you must include
-#	a rate limit in the action column.
+#			The ACTION may optionally be followed by ":" and a syslog
+#			log level (e.g, REJECT:info or DNAT:debug). This causes the
+#			packet to be logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a 
 #			log level. This will log to the ULOG target for routing
@@ -243,60 +237,60 @@
 #			If you place a rate limit in this column, you may not place
 #			a similiar limit in the ACTION column.
 #
-#	USER SET	This Column may only be non-empty if the SOURCE is the firewall
-#			itself and the ACTION is ACCEPT, DROP or REJECT.
+#	USER/GROUP	This column may only be non-empty if the SOURCE is the firewall itself.
+#		
+#			The column may contain:
 #
-#			The column may contain a user set name defined in the 
-#			/etc/shorewall/usersets file or it may contain:
+#			[!][<user name or number>][:<group name or number>]
 #
-#				[<user name or number>]:[<group name or number>]
+#			When this column is non-empty, the rule applies only if the program
+#			generating the output is running under the effective <user> and/or <group>
+#			specified (or is NOT running under that id if "!" is given).
 #
-#			When this column is non-empty, the rule applies only if the 
-#			program generating the output is running under the effective
-#			<user>(s) and/or <group>(s) specified. When a user set name is 
-#			given, a log level may not be present in the ACTION column;
-#			logging for such rules is controlled by user set's entry in
-#			/etc/shorewall/usersets.
+#			Examples:
+#				joe	# program must be run by joe
+#				:kids	# program must be run by a member of the 'kids' group.
+#				!:kids	# program must not be run by a member of the 'kids' group.
 #
 #	Also by default all outbound loc -> net communications are allowed.
 #	You can change this behavior in the sample policy file.
 #
 #	Example:	Accept www requests to the firewall.
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	ACCEPT		net		fw	tcp	http
 #
 #	Example:	Accept SMTP requests from the Local Network to the Internet
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	ACCEPT		loc		net		tcp	smtp
 #
 #	Example:	Forward all ssh and http connection requests from the Internet
 #			to local system 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	DNAT		net		loc:192.168.1.3	tcp	ssh,http
 #
 #	Example:	Redirect all locally-originating www connection requests to
 #			port 3128 on the firewall (Squid running on the firewall
 #			system) except when the destination address is 192.168.2.2
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	REDIRECT	loc		3128		tcp	www	-	!192.168.2.2
 #
 #	Example:	All http requests from the Internet to address
 #			130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER	
-#	#							PORT	PORT(S)	DEST		LIMIT	SET
+#	#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/	
+#	#							PORT	PORT(S)	DEST		LIMIT	GROUP
 #	DNAT		net		loc:192.168.1.3	tcp	80	-	130.252.100.69
 ##############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER
-#							PORT	PORT(S)	DEST			LIMIT	SET
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE	ORIGINAL		RATE	USER/
+#							PORT	PORT(S)	DEST			LIMIT	GROUP
 #
 #	Accept DNS connections from the firewall to the network
 #
diff --git a/Samples/two-interfaces/zones b/Samples/two-interfaces/zones
index 845764a23..0ace51540 100644
--- a/Samples/two-interfaces/zones
+++ b/Samples/two-interfaces/zones
@@ -1,5 +1,5 @@
 #
-# 	Shorewall 1.4.8a -- Sample Zone File For Two Interfaces
+# 	Shorewall 2.0 -- Sample Zone File For Two Interfaces
 # 	/etc/shorewall/zones
 #
 # This file determines your network zones. Columns are: