FreeBSD Mail Archives

Date:      Fri, 25 Jul 2003 02:42:32 +0200 (CEST)
From:      Dusan Marjanovic <madafaka@bsd.org.yu>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/54832: [NEW PORT] irc/bitlbee: An IRC to other chat networks gateway
Message-ID:  <20030725004232.AEC89621B@zvezda.fc>
Resent-Message-ID: <200307250050.h6P0oM8u042614@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help


>Number:         54832
>Category:       ports
>Synopsis:       [NEW PORT] irc/bitlbee: An IRC to other chat networks gateway
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 24 17:50:17 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator:     Dusan Marjanovic
>Release:        FreeBSD 5.1-RELEASE i386
>Organization:
>Environment:
System: FreeBSD zvezda.fc 5.1-RELEASE FreeBSD 5.1-RELEASE #1: Wed Jun 11 19:41:40 CEST 2003
>Description:
This is port of bitlbee, An IRC to other chat networks
gateway. Bitlbee supports a wide range of different IM protocols like
jabber, icq, msn...

WWW: http://www.lintux.cx/bitlbee.html

- Dusan Marjanovic
dbm@root.co.yu
>How-To-Repeat:
>Fix:

--- bitlbee-0.80.shar begins here ---
# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#	bitlbee
#	bitlbee/ipf-howto.html
#	bitlbee/files
#	bitlbee/files/patch-ab
#	bitlbee/files/patch-a
#	bitlbee/files/patch-ac
#	bitlbee/files/patch-ad
#	bitlbee/files/patch-ae
#	bitlbee/files/patch-af
#	bitlbee/files/patch-ag
#	bitlbee/files/patch-ah
#	bitlbee/tcp_filtering.pdf
#	bitlbee/Makefile
#	bitlbee/distinfo
#	bitlbee/pkg-descr
#	bitlbee/pkg-plist
#
echo c - bitlbee
mkdir -p bitlbee > /dev/null 2>&1
echo x - bitlbee/ipf-howto.html
sed 's/^X//' >bitlbee/ipf-howto.html << 'END-of-bitlbee/ipf-howto.html'
X<HTML>
X<!-- this file was generated by troffcvt and tc2html -->
X<BODY>
X<!-- Start Mirror Here -->
X<!-- TOC BEGIN -->
X<UL>
X<LI>
X<A HREF=#TOC_1>Introduction</A>
X<LI>
X<A HREF=#TOC_2>Disclaimer</A>
X<LI>
X<A HREF=#TOC_3>Copyright</A>
X<LI>
X<A HREF=#TOC_4>Where to obtain the important pieces</A>
X<LI>
X<A HREF=#TOC_5>Basic Firewalling</A>
X<LI>
X<A HREF=#TOC_6>Config File Dynamics, Order and Precedence</A>
X<LI>
X<A HREF=#TOC_7>Basic Rule Processing</A>
X<LI>
X<A HREF=#TOC_8>Controlling Rule Processing</A>
X<LI>
X<A HREF=#TOC_9>Basic filtering by IP address</A>
X<LI>
X<A HREF=#TOC_10>Controlling Your Interfaces</A>
X<LI>
X<A HREF=#TOC_11>Using IP Address and Interface Together</A>
X<LI>
X<A HREF=#TOC_12>Bi-Directional Filtering; The &quot;out&quot; Keyword</A>
X<LI>
X<A HREF=#TOC_13>Logging What Happens; The &quot;log&quot; Keyword</A>
X<LI>
X<A HREF=#TOC_14>Complete Bi-Directional Filtering By Interface</A>
X<LI>
X<A HREF=#TOC_15>Controlling Specific Protocols; The &quot;proto&quot; Keyword</A>
X<LI>
X<A HREF=#TOC_16>Filtering ICMP with the &quot;icmp-type&quot; Keyword; Merging Rulesets</A>
X<LI>
X<A HREF=#TOC_17>TCP and UDP Ports; The &quot;port&quot; Keyword</A>
X<LI>
X<A HREF=#TOC_18>Advanced Firewalling Introduction</A>
X<LI>
X<A HREF=#TOC_19>Rampant Paranoia; or The Default-Deny Stance</A>
X<LI>
X<A HREF=#TOC_20>Implicit Allow; The &quot;keep state&quot; Rule</A>
X<LI>
X<A HREF=#TOC_21>Stateful UDP</A>
X<LI>
X<A HREF=#TOC_22>Stateful ICMP</A>
X<LI>
X<A HREF=#TOC_23>FIN Scan Detection; &quot;flags&quot; Keyword, &quot;keep frags&quot; Keyword</A>
X<LI>
X<A HREF=#TOC_24>Responding To a Blocked Packet</A>
X<LI>
X<A HREF=#TOC_25>Fancy Logging Techniques</A>
X<LI>
X<A HREF=#TOC_26>Putting It All Together</A>
X<LI>
X<A HREF=#TOC_27>Improving Performance With Rule Groups</A>
X<LI>
X<A HREF=#TOC_28>&quot;Fastroute&quot;; The Keyword of Stealthiness</A>
X<LI>
X<A HREF=#TOC_29>NAT and Proxies</A>
X<LI>
X<A HREF=#TOC_30>Mapping Many Addresses Into One Address</A>
X<LI>
X<A HREF=#TOC_31>Mapping Many Addresses Into a Pool of Addresses</A>
X<LI>
X<A HREF=#TOC_32>One to One Mappings</A>
X<LI>
X<A HREF=#TOC_33>Policy NAT</A>
X<LI>
X<A HREF=#TOC_34>Spoofing Services</A>
X<LI>
X<A HREF=#TOC_35>Transparent Proxy Support; Redirection Made Useful</A>
X<LI>
X<A HREF=#TOC_36>Filtering Redirected Services</A>
X<LI>
X<A HREF=#TOC_37>Magic Hidden Within NAT; Application Proxies</A>
X<LI>
X<A HREF=#TOC_38>More Magic; Using NAT As a Load Balancer</A>
X<LI>
X<A HREF=#TOC_39>Loading and Manipulating Filter Rules; The ipf Utility</A>
X<LI>
X<A HREF=#TOC_40>Loading and Manipulating NAT Rules; The ipnat Utility</A>
X<LI>
X<A HREF=#TOC_41>Monitoring and Debugging</A>
X<LI>
X<A HREF=#TOC_42>The ipfstat utility</A>
X<LI>
X<A HREF=#TOC_43>The ipmon utility</A>
X<LI>
X<A HREF=#TOC_44>Keep State With Servers and Flags.</A>
X<LI>
X<A HREF=#TOC_45>Coping With FTP</A>
X<LI>
X<A HREF=#TOC_46>Running an FTP Server</A>
X<LI>
X<A HREF=#TOC_47>Running an FTP Client</A>
X<LI>
X<A HREF=#TOC_48>Assorted Kernel Variables</A>
X<LI>
X<A HREF=#TOC_49>Fun with ipf!</A>
X<LI>
X<A HREF=#TOC_50>Localhost Filtering</A>
X<LI>
X<A HREF=#TOC_51>What Firewall?  Transparent filtering.</A>
X<LI>
X<A HREF=#TOC_52>Using Transparent Filtering to Fix Network Design Mistakes</A>
X<LI>
X<A HREF=#TOC_53>Drop-Safe Logging With dup-to and to.</A>
X<LI>
X<A HREF=#TOC_54>The dup-to Method</A>
X<LI>
X<A HREF=#TOC_55>The to Method</A>
X<LI>
X<A HREF=#TOC_56>Bogus Network Filtering, the ultimate in current anti-spoofing technology.</A>
X</UL>
X<!-- TOC END -->
X<P>
X<CENTER>
XIP Filter Based Firewalls HOWTO<BR>
X</CENTER>
X<CENTER>
X<P>
X<I>Brendan Conoboy &lt;synk@swcp.com&gt;<BR>
XErik Fichtner &lt;emf@obfuscation.org&gt;<BR>
XFri Mar  1 22:29:33 EST 2002<BR>
X</I>
X</CENTER>
X<P>
X<B>Abstract:</B> This document is intended to introduce a new
Xuser to the IP Filter firewalling package and, at the same time,
Xteach the user some basic fundamentals of good firewall design.<BR>
X<A NAME=TOC_1>
X<H2>
XIntroduction
X</H2>
X</A><BR>
X<P>
XIP Filter is a great little firewall package.  It does just about
Xeverything other free firewalls (ipfwadm, ipchains, ipfw) do,
Xbut it's also portable and does neat stuff the others don't. 
XThis document is intended to make some cohesive sense of the sparse
Xdocumentation presently available for ipfilter.  Futhermore, this
Xdocument will also serve as documentation for syntatically compatible
Xpacket filters (notably <I>pf</I>) and, wherever applicable, will
Xpoint out any important differences; however this document is
Xspecifically targeted at the rules language and syntax, and is
Xnot intended to be platform specific.  Some prior familiarity
Xwith packet filtering will be useful, however too much familiarity
Xmay make this document a waste of your time.  For greater understanding
Xof firewalls, the authors recommend reading <I>Building Internet
XFirewalls</I>, Chapman &amp; Zwicky, O'Reilly and Associates;
Xand <I>TCP/IP Illustrated, Volume 1</I>, Stevens, Addison-Wesley.<BR>
X<A NAME=TOC_2>
X<H2>
XDisclaimer
X</H2>
X</A><BR>
X<P>
X<P>
XThe authors of this document are not responsible for any damages
Xincurred due to actions taken based on this document. This document
Xis meant as an introduction to building a firewall based on IP-Filter.
XIf you do not feel comfortable taking responsibility for your
Xown actions, you should stop reading this document and hire a
Xqualified security professional to install your firewall for you.<BR>
X<A NAME=TOC_3>
X<H2>
XCopyright
X</H2>
X</A><BR>
X<P>
X<P>
XUnless otherwise stated, HOWTO documents are copyrighted by their
Xrespective authors. HOWTO documents may be reproduced and distributed
Xin whole or in part, in any medium physical or electronic, as
Xlong as this copyright notice is retained on all copies. Commercial
Xredistribution is allowed and encouraged; however, the authors
Xwould like to be notified of any such distributions.<BR>
X<P>
X<P>
XAll translations, derivative works, or aggregate works incorporating
Xany HOWTO documents must be covered under this copyright notice.
XThat is, you may not produce a derivative work from a HOWTO and
Ximpose additional restrictions on its distribution. Exceptions
Xto these rules may be granted under certain conditions; please
Xcontact the HOWTO coordinator.<BR>
X<P>
X<P>
XIn short, we wish to promote dissemination of this information
Xthrough as many channels as possible. However, we do wish to retain
Xcopyright on the HOWTO documents, and would like to be notified
Xof any plans to redistribute the HOWTOs.<BR>
X<A NAME=TOC_4>
X<H2>
XWhere to obtain the important pieces
X</H2>
X</A><BR>
X<P>
X<P>
XThe official IPF homepage is at: <I>&lt;http://coombs.anu.edu.au/~avalon/ip-filter.html&gt;</I><BR>;
X<P>
X<P>
XThe BSD licensed compatible packet filter, pf, is at: <I>&lt;http://www.benzedrine.cx/pf.html&gt;</I><BR>;
X<P>
X<P>
XThe most up-to-date version of this document can be found at:
X<I>&lt;http://www.obfuscation.org/ipf/&gt;</I><BR>;
X<A NAME=TOC_5>
X<H2>
XBasic Firewalling
X</H2>
X</A><BR>
X<P>
X<P>
XThis section is designed to familiarize you with ipfilter's syntax,
Xand firewall theory in general.  The features discussed here are
Xfeatures you'll find in any good firewall package.  This section
Xwill give you a good foundation to make reading and understanding
Xthe advanced section very easy.  It must be emphasized that this
Xsection alone is not enough to build a good firewall, and that
Xthe advanced section really is required reading for anybody who
Xwants to build an effective security system.<BR>
X<A NAME=TOC_6>
X<H2>
XConfig File Dynamics, Order and Precedence
X</H2>
X</A><BR>
X<P>
X<P>
XIPF (IP Filter) has a config file (as opposed to say, running
Xsome command again and again for each new rule).  The config file
Xdrips with Unix:  There's one rule per line, the &quot;#&quot;
Xmark denotes a comment, and you can have a rule and a comment
Xon the same line.  Extraneous whitespace is allowed, and is encouraged
Xto keep the rules readable.<BR>
X<A NAME=TOC_7>
X<H2>
XBasic Rule Processing
X</H2>
X</A><BR>
X<P>
X<P>
XThe rules are processed from top to bottom, each one appended
Xafter another.  This quite simply means that if the entirety of
Xyour config file is:<BR>
X<TT>    block in all<BR>
X    pass  in all<BR>
X</TT>The computer sees it as:<BR>
X<TT>    block in all<BR>
X    pass  in all<BR>
X</TT>Which is to say that when a packet comes in, the first thing
XIPF applies is:<BR>
X<TT>    block in all<BR>
X</TT>Should IPF deem it necessary to move on to the next rule,
Xit would then apply the second rule:<BR>
X<TT>    pass  in all<BR>
X<P>
X<P>
X</TT>At this point, you might want to ask yourself &quot;would
XIPF move on to the second rule?&quot;  If you're familiar with
Xipfwadm or ipfw, you probably won't ask yourself this.  Shortly
Xafter, you will become bewildered at the weird way packets are
Xalways getting denied or passed when they shouldn't.  Many packet
Xfilters stop comparing packets to rulesets the moment the first
Xmatch is made; IPF is not one of them.<BR>
X<P>
X<P>
XUnlike the other packet filters, IPF keeps a flag on whether or
Xnot it's going to pass the packet.  Unless you interrupt the flow,
XIPF will go through the entire ruleset, making its decision on
Xwhether or not to pass or drop the packet based on the last matching
Xrule. The scene: IP Filter's on duty.  It's been been scheduled
Xa slice of CPU time.  It has a checkpoint clipboard that reads:<BR>
X<TT>    block in all<BR>
X    pass  in all<BR>
X</TT>A packet comes in the interface and it's time to go to work.
XIt takes a look at the packet, it takes a look at the first rule:<BR>
X<TT>    block in all<BR>
X</TT>&quot;So far I think I will block this packet&quot; says
XIPF.  It takes a look at the second rule:<BR>
X<TT>    pass  in all<BR>
X</TT>&quot;So far I think I will pass this packet&quot; says IPF.
XIt takes a look at a third rule.  There is no third rule, so it
Xgoes with what its last motivation was, to pass the packet onward.<BR>
XIt's a good time to point out that even if the ruleset had been<BR>
X<TT>    block in all<BR>
X    block in all<BR>
X    block in all<BR>
X    block in all<BR>
X    pass  in all<BR>
X</TT>that the packet would still have gone through.  There is
Xno cumulative effect.  The last matching rule always takes precedence.<BR>
X<A NAME=TOC_8>
X<H2>
XControlling Rule Processing
X</H2>
X</A><BR>
X<P>
X<P>
XIf you have experience with other packet filters, you may find
Xthis layout to be confusing, and you may be speculating that there
Xare problems with portability with other filters and speed of
Xrule matching. Imagine if you had 100 rules and most of the applicable
Xones were the first 10. There would be a terrible overhead for
Xevery packet coming in to go through 100 rules every time.  Fortunately,
Xthere is a simple keyword you can add to any rule that makes it
Xtake action at that match. That keyword is <TT>quick</TT>.<BR>
XHere's a modified copy of the original ruleset using the <TT>quick</TT>
Xkeyword:<BR>
X<TT>    block in quick all<BR>
X    pass  in       all<BR>
X</TT>In this case, IPF looks at the first rule:<BR>
X<TT>    block in quick all<BR>
X</TT>The packet matches and the search is over.  The packet is
Xexpunged without a peep.  There are no notices, no logs, no memorial
Xservice.  Cake will not be served.  So what about the next rule?<BR>
X<TT>    pass  in       all<BR>
X<P>
X<P>
X</TT>This rule is never encountered.  It could just as easily
Xnot be in the config file at all.  The sweeping match of <TT>all</TT>
Xand the terminal keyword <TT>quick</TT> from the previous rule
Xmake certain that no rules are followed afterward.<BR>
X<P>
X<P>
XHaving half a config file laid to waste is rarely a desirable
Xstate. On the other hand, IPF is here to block packets and as
Xconfigured, it's doing a very good job.  Nonetheless, IPF is also
Xhere to let some packets through, so a change to the ruleset to
Xmake this possible is called for.<BR>
X<A NAME=TOC_9>
X<H2>
XBasic filtering by IP address
X</H2>
X</A><BR>
X<P>
X<P>
XIPF will match packets on many criteria.  The one that we most
Xcommonly think of is the IP address.  There are some blocks of
Xaddress space from which we should never get traffic.  One such
Xblock is from  the unroutable networks, 192.168.0.0/16 (/16 is
Xthe CIDR notation for a netmask.  You may be more familiar with
Xthe dotted decimal format, 255.255.0.0.  IPF accepts both).  If
Xyou wanted to block 192.168.0.0/16, this is one way to do it:<BR>
X<TT>    block in quick from 192.168.0.0/16 to any<BR>
X    pass  in       all<BR>
X</TT>Now we have a less stringent ruleset that actually does something
Xfor us. Let's imagine a packet comes in from 1.2.3.4.  The first
Xrule is applied:<BR>
X<TT>    block in quick from 192.168.0.0/16 to any<BR>
X</TT>The packet is from 1.2.3.4, not 192.168.*.*, so there is
Xno match.  The second rule is applied:<BR>
X<TT>    pass  in       all<BR>
X</TT>The packet from 1.2.3.4 is definitely a part of <TT>all</TT>,
Xso the packet is sent to whatever it's destination happened to
Xbe.<BR>
X<P>
X<P>
XOn the other hand, suppose we have a packet that comes in from
X192.168.1.2. The first rule is applied:<BR>
X<TT>    block in quick from 192.168.0.0/16 to any<BR>
X</TT>There's a match, the packet is dropped, and that's the end.
XAgain, it doesn't move to the second rule because the first rule
Xmatches and contains the <TT>quick</TT> keyword.<BR>
X<P>
X<P>
XAt this point you can build a fairly extensive set of definitive
Xaddresses which are passed or blocked.  Since we've already started
Xblocking private address space from entering our firewall, let's
Xtake care of the rest of it:<BR>
X<TT>    block in quick from 192.168.0.0/16 to any<BR>
X    block in quick from 172.16.0.0/12 to any<BR>
X    block in quick from 10.0.0.0/8 to any<BR>
X    pass  in       all<BR>
X</TT>The first three address blocks are some of the private IP
Xspace.[[dagger]] [[footnote: [[dagger]] See rfc1918 at <I>&lt;http://www.faqs.org/rfcs/rfc1918.html&gt;</I>;
Xand <I>&lt;http://www.ietf.org/internet-drafts/draft-manning-dsua-06.txt&gt;</I>;
X]]<BR>
X<A NAME=TOC_10>
X<H2>
XControlling Your Interfaces
X</H2>
X</A><BR>
X<P>
X<P>
XIt seems very frequent that companies have internal networks before
Xthey want a link to the outside world.  In fact, it's probably
Xreasonable to say that's the main reason people consider firewalls
Xin the first place.  The machine that bridges the outside world
Xto the inside world and vice versa is the router.  What separates
Xthe router from any other machine is simple: It has more than
Xone interface.<BR>
X<P>
X<P>
XEvery packet you receive comes from a network interface; every
Xpacket you transmit goes out a network interface.  Say your machine
Xhas 3 interfaces, <TT>lo0</TT> (loopback), <TT>xl0</TT> (3com
Xethernet), and <TT>tun0</TT> (FreeBSD's generic tunnel interface
Xthat PPP uses), but you don't want packets coming in on the <TT>tun0</TT>
Xinterface?<BR>
X<TT>    block in quick on tun0 all<BR>
X    pass  in               all<BR>
X</TT>In this case, the <TT>on</TT> keyword means that that data
Xis coming in on the named interface.  If a packet comes <TT>in
Xon tun0</TT>, the first rule will block it.  If a packet comes
X<TT>in on lo0</TT> or <TT>in on xl0</TT>, the first rule will
Xnot match, the second rule will, the packet will be passed.<BR>
X<A NAME=TOC_11>
X<H2>
XUsing IP Address and Interface Together
X</H2>
X</A><BR>
X<P>
X<P>
XIt's an odd state of affairs when one decides it best to have
Xthe <TT>tun0</TT> interface up, but not allow any data to be received
Xfrom it. The more criteria the firewall matches against, the tighter
X(or looser) the firewall can become.  Maybe you want data from
X<TT>tun0</TT>, but not from 192.168.0.0/16?  This is the start
Xof a powerful firewall.<BR>
X<TT>    block in quick on tun0 from 192.168.0.0/16 to any<BR>
X    pass  in       all<BR>
X</TT>Compare this to our previous rule:<BR>
X<TT>    block in quick from 192.168.0.0/16 to any<BR>
X    pass  in       all<BR>
X</TT>The old way, all traffic from 192.168.0.0/16, regardless
Xof interface, was completely blocked.  The new way, using <TT>on
Xtun0</TT> means that it's only blocked if it comes in on the <TT>tun0</TT>
Xinterface.  If a packet arrived on the <TT>xl0</TT> interface
Xfrom 192.168.0.0/16, it would be passed.<BR>
X<P>
X<P>
XAt this point you can build a fairly extensive set of definitive
Xaddresses which are passed or blocked.  Since we've already started
Xblocking private address space from entering <TT>tun0</TT>, let's
Xtake care of the rest of it:<BR>
X<TT>    block in quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in quick on tun0 from 224.0.0.0/3 to any<BR>
X    pass  in       all<BR>
X</TT>You've already seen the first three <TT>block</TT>s, but
Xnot the rest. The fourth is a largely wasted class-A network used
Xfor loopback.  Much software communicates with itself on 127.0.0.1
Xso blocking it from an external source is a good idea.  The fifth,
X0.0.0.0/8, should never be seen on the internet.  Most IP stacks
Xtreat &quot;0.0.0.0/32&quot; as the default gateway, and the rest
Xof the 0.*.*.* network gets handled strangely by various systems
Xas a byproduct of how routing decisions are made.   You should
Xtreat 0.0.0.0/8 just like 127.0.0.0/8.    169.254.0.0/16 has been
Xassigned by the IANA for use in auto-configuration when systems
Xhave not yet been able to obtain an IP address via DHCP or the
Xlike.  Most notably, Microsoft Windows will use addresses in this
Xrange if they are set to DHCP and cannot find a DHCP server. 
X192.0.2.0/24 has also been reserved for use as an example IP netblock
Xfor documentation authors.  We specifically do not use this range
Xas it would cause confusion when we tell you to block it, and
Xthus all our examples come from 20.20.20.0/24. 204.152.64.0/23
Xis an odd netblock reserved by Sun Microsystems for private cluster
Xinterconnects, and blocking this is up to your own judgement.
XLastly, 224.0.0.0/3 wipes out the &quot;Class D and E&quot; networks
Xwhich is used mostly for multicast traffic, although further definition
Xof &quot;Class E&quot; space can be found in RFC 1166.<BR>
X<P>
X<P>
XThere's a very important principle in packet filtering which has
Xonly been alluded to with the private network blocking and that
Xis this: When you know there's certain types of data that only
Xcomes from certain places, you setup the system to only allow
Xthat kind of data from those places.  In the case of the unroutable
Xaddresses, you know that nothing from 10.0.0.0/8 should be arriving
Xon <TT>tun0</TT> because you have no way to reply to it.  It's
Xan illegitimate packet.  The same goes for the other unroutables
Xas well as 127.0.0.0/8.<BR>
X<P>
X<P>
XMany pieces of software do all their authentication based upon
Xthe packet's originating IP address.  When you have an internal
Xnetwork, say 20.20.20.0/24, you know that the only traffic for
Xthat internal network is going to come off the local ethernet.
XShould a packet from 20.20.20.0/24 arrive over a PPP dialup, it's
Xperfectly reasonable to drop it on the floor, or put it in a dark
Xroom for interrogation.  It should by no means be allowed to get
Xto its final destination.  You can accomplish this particularly
Xeasily with what you already know of IPF. The new ruleset would
Xbe:<BR>
X<TT>    block in quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in quick on tun0 from 20.20.20.0/24 to any<BR>
X    pass  in       all<BR>
X</TT>
X<A NAME=TOC_12>
X<H2>
XBi-Directional Filtering; The &quot;out&quot; Keyword
X</H2>
X</A><BR>
X<P>
X<P>
XUp until now, we've been passing or blocking inbound traffic.
XTo clarify, inbound traffic is all traffic that enters the firewall
Xon any interface.  Conversely, outbound traffic is all traffic
Xthat leaves on any interface (whether locally generated or simply
Xpassing through).  This means that all packets coming in are not
Xonly filtered as they enter the firewall, they're also filtered
Xas they exit.  Thusfar there's been an implied <TT>pass out all</TT>
Xthat may or may not be desirable.[[dagger]] Just as you may pass
Xand block incoming traffic, you may do the same with outgoing
Xtraffic.<BR>
X<P>
X<P>
XNow that we know there's a way to filter outbound packets just
Xlike inbound, it's up to us to find a conceivable use for such
Xa thing.  One possible use of this idea is to keep spoofed packets
Xfrom exiting your own network.  Instead of passing any traffic
Xout the router, you could instead limit permitted traffic to packets
Xoriginating at 20.20.20.0/24.  You might do it like this: [[footnote:
X[[dagger]] This can, of course, be changed by using -DIPFILTER_DEFAULT_BLOCK
Xwhen compiling ipfilter on your system. ]]<BR>
X<TT>    pass  out quick on tun0 from 20.20.20.0/24 to any<BR>
X    block out quick on tun0 from any to any<BR>
X</TT>If a packet comes from 20.20.20.1/32, it gets sent out by
Xthe first rule.  If a packet comes from 1.2.3.4/32 it gets blocked
Xby the second.<BR>
X<P>
X<P>
XYou can also make similar rules for the unroutable addresses.
XIf some machine tries to route a packet through IPF with a destination
Xin 192.168.0.0/16, why not drop it?  The worst that can happen
Xis that you'll spare yourself some bandwidth:<BR>
X<TT>    block out quick on tun0 from any to 192.168.0.0/16<BR>
X    block out quick on tun0 from any to 172.16.0.0/12<BR>
X    block out quick on tun0 from any to 10.0.0.0/8<BR>
X    block out quick on tun0 from any to 0.0.0.0/8<BR>
X    block out quick on tun0 from any to 127.0.0.0/8<BR>
X    block out quick on tun0 from any to 169.254.0.0/16<BR>
X    block out quick on tun0 from any to 192.0.2.0/24<BR>
X    block out quick on tun0 from any to 204.152.64.0/23<BR>
X    block out quick on tun0 from any to 224.0.0.0/3<BR>
X    block out quick on tun0 from !20.20.20.0/24 to any<BR>
X</TT>In the narrowest viewpoint, this doesn't enhance your security.
XIt enhances everybody else's security, and that's a nice thing
Xto do. As another viewpoint, one might suppose that because nobody
Xcan send spoofed packets from your site, that your site has less
Xvalue as a relay for crackers, and as such is less of a target.<BR>
X<P>
X<P>
XYou'll likely find a number of uses for blocking outbound packets.
XOne thing to always keep in mind is that in and out directions
Xare in reference to your firewall, never any other machine.<BR>
X<A NAME=TOC_13>
X<H2>
XLogging What Happens; The &quot;log&quot; Keyword
X</H2>
X</A><BR>
X<P>
X<P>
XUp to this point, all blocked and passed packets have been silently
Xblocked and silently passed.  Usually you want to know if you're
Xbeing attacked rather than wonder if that firewall is really buying
Xyou any added benefits.  While I wouldn't want to log every passed
Xpacket, and in some cases every blocked packet, I would want to
Xknow about the blocked packets from 20.20.20.0/24.  To do this,
Xwe add the <TT>log</TT> keyword:<BR>
X<TT>    block in     quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in     quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in     quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in     quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in     quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in     quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in log quick on tun0 from 20.20.20.0/24 to any<BR>
X    pass  in       all<BR>
X</TT>So far, our firewall is pretty good at blocking packets coming
Xto it from suspect places, but there's still more to be done.
XFor one thing, we're accepting packets destined anywhere.  One
Xthing we ought to do is make sure packets to 20.20.20.0/32 and
X20.20.20.255/32 get dropped on the floor.  To do otherwise opens
Xthe internal network for a smurf attack.  These two lines would
Xprevent our hypothetical network from being used as a smurf relay:<BR>
X<TT>    block in log quick on tun0 from any to 20.20.20.0/32<BR>
X    block in log quick on tun0 from any to 20.20.20.255/32<BR>
X</TT>This brings our total ruleset to look something like this:<BR>
X<TT>    block in     quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in     quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in     quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in     quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in     quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in     quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in log quick on tun0 from 20.20.20.0/24 to any<BR>
X    block in log quick on tun0 from any to 20.20.20.0/32<BR>
X    block in log quick on tun0 from any to 20.20.20.255/32<BR>
X    pass  in       all<BR>
X</TT>
X<A NAME=TOC_14>
X<H2>
XComplete Bi-Directional Filtering By Interface
X</H2>
X</A><BR>
X<P>
X<P>
XSo far we have only presented fragments of a complete ruleset.
XWhen you're actually creating your ruleset, you should setup rules
Xfor every direction and every interface.  The default state of
Xipfilter is to pass packets.  It is as though there were an invisible
Xrule at the beginning which states <TT>pass in all</TT> and <TT>pass
Xout all</TT>. Rather than rely on some default behaviour, make
Xeverything as specific as possible, interface by interface, until
Xevery base is covered.<BR>
X<P>
X<P>
XFirst we'll start with the <TT>lo0</TT> interface, which wants
Xto run wild and free.  Since these are programs talking to others
Xon the local system, go ahead and keep it unrestricted:<BR>
X<TT>    pass out quick on lo0<BR>
X    pass in  quick on lo0<BR>
X</TT>Next, there's the <TT>xl0</TT> interface.  Later on we'll
Xbegin placing restrictions on the <TT>xl0</TT> interface, but
Xto start with, we'll act as though everything on our local network
Xis trustworthy and give it much the same treatment as <TT>lo0</TT>:<BR>
X<TT>    pass out quick on xl0<BR>
X    pass in  quick on xl0<BR>
X</TT>Finally, there's the <TT>tun0</TT> interface, which we've
Xbeen half-filtering with up until now:<BR>
X<TT>    block out quick on tun0 from any to 192.168.0.0/16<BR>
X    block out quick on tun0 from any to 172.16.0.0/12<BR>
X    block out quick on tun0 from any to 127.0.0.0/8<BR>
X    block out quick on tun0 from any to 10.0.0.0/8<BR>
X    block out quick on tun0 from any to 0.0.0.0/8<BR>
X    block out quick on tun0 from any to 169.254.0.0/16<BR>
X    block out quick on tun0 from any to 192.0.2.0/24<BR>
X    block out quick on tun0 from any to 204.152.64.0/23<BR>
X    block out quick on tun0 from any to 224.0.0.0/3<BR>
X    pass  out quick on tun0 from 20.20.20.0/24 to any<BR>
X    block out quick on tun0 from any to any<BR>
X    block in     quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in     quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in     quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in     quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in     quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in     quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in log quick on tun0 from 20.20.20.0/24 to any<BR>
X    block in log quick on tun0 from any to 20.20.20.0/32<BR>
X    block in log quick on tun0 from any to 20.20.20.255/32<BR>
X    pass  in     all<BR>
X</TT>This is a pretty significant amount of filtering already,
Xprotecting 20.20.20.0/24 from being spoofed or being used for
Xspoofing.  Future examples will continue to show one-sideness,
Xbut keep in mind that it's for brevity's sake, and when setting
Xup your own ruleset, adding rules for every direction and every
Xinterface is necessary.<BR>
X<A NAME=TOC_15>
X<H2>
XControlling Specific Protocols; The &quot;proto&quot; Keyword
X</H2>
X</A><BR>
X<P>
X<P>
XDenial of Service attacks are as rampant as buffer overflow exploits.
XMany denial of service attacks rely on glitches in the OS's TCP/IP
Xstack.  Frequently, this has come in the form of ICMP packets.
XWhy not block them entirely?<BR>
X<TT>    block in log quick on tun0 proto icmp from any to any<BR>
X</TT>Now any ICMP traffic coming in from <TT>tun0</TT> will be
Xlogged and discarded.<BR>
X<A NAME=TOC_16>
X<H2>
XFiltering ICMP with the &quot;icmp-type&quot; Keyword; Merging
XRulesets
X</H2>
X</A><BR>
X<P>
X<P>
XOf course, dropping all ICMP isn't really an ideal situation.
XWhy not drop all ICMP?  Well, because it's useful to have partially
Xenabled.  So maybe you want to keep some types of ICMP traffic
Xand drop other kinds.  If you want ping and traceroute to work,
Xyou need to let in ICMP types 0 and 11.  Strictly speaking, this
Xmight not be a good idea, but if you need to weigh security against
Xconvenience, IPF lets you do it.<BR>
X<TT>    pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0<BR>
X    pass in quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11<BR>
X</TT>Remember that ruleset order is important.  Since we're doing
Xeverything <TT>quick</TT> we must have our <TT>pass</TT>es before
Xour <TT>block</TT>s, so we really want the last three rules in
Xthis order:<BR>
X<TT>    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0<BR>
X    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11<BR>
X    block in log quick on tun0 proto icmp from any to any<BR>
X</TT>Adding these 3 rules to the anti-spoofing rules is a bit
Xtricky.  One error might be to put the new ICMP rules at the beginning:<BR>
X<TT>    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0<BR>
X    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11<BR>
X    block in log quick on tun0 proto icmp from any to any<BR>
X    block in     quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in     quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in     quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in     quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in     quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in     quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in log quick on tun0 from 20.20.20.0/24 to any<BR>
X    block in log quick on tun0 from any to 20.20.20.0/32<BR>
X    block in log quick on tun0 from any to 20.20.20.255/32<BR>
X    pass  in       all<BR>
X</TT>The problem with this is that an ICMP type 0 packet from
X192.168.0.0/16 will get passed by the first rule, and never blocked
Xby the fourth rule.  Also, since we <TT>quick</TT>ly pass an ICMP
XECHO_REPLY (type 0) to 20.20.20.0/24, we've just opened ourselves
Xback up to a nasty smurf attack and nullified those last two block
Xrules.  Oops.  To avoid this, we place the ICMP rules after the
Xanti-spoofing rules:<BR>
X<TT>    block in     quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in     quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in     quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in     quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in     quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in     quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in log quick on tun0 from 20.20.20.0/24 to any<BR>
X    block in log quick on tun0 from any to 20.20.20.0/32<BR>
X    block in log quick on tun0 from any to 20.20.20.255/32<BR>
X    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0<BR>
X    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11<BR>
X    block in log quick on tun0 proto icmp from any to any<BR>
X    pass  in       all<BR>
X</TT>Because we block spoofed traffic before the ICMP rules are
Xprocessed, a spoofed packet never makes it to the ICMP ruleset.
XIt's very important to keep such situations in mind when merging
Xrules.<BR>
X<A NAME=TOC_17>
X<H2>
XTCP and UDP Ports; The &quot;port&quot; Keyword
X</H2>
X</A><BR>
X<P>
X<P>
XNow that we've started blocking packets based on protocol, we
Xcan start blocking packets based on specific aspects of each protocol.
XThe most frequently used of these aspects is the port number.
XServices such as rsh, rlogin, and telnet are all very convenient
Xto have, but also hideously insecure against network sniffing
Xand spoofing.  One great compromise is to only allow the services
Xto run internally, then block them externally.  This is easy to
Xdo because rlogin, rsh, and telnet use specific TCP ports (513,
X514, and 23 respectively). As such, creating rules to block them
Xis easy:<BR>
X<TT>    block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 513<BR>
X    block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 514<BR>
X    block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 23<BR>
X</TT>Make sure all 3 are before the <TT>pass in all</TT> and they'll
Xbe closed off from the outside (leaving out spoofing for brevity's
Xsake):<BR>
X<TT>    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 0<BR>
X    pass  in     quick on tun0 proto icmp from any to 20.20.20.0/24 icmp-type 11<BR>
X    block in log quick on tun0 proto icmp from any to any<BR>
X    block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 513<BR>
X    block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 514<BR>
X    block in log quick on tun0 proto tcp from any to 20.20.20.0/24 port = 23<BR>
X    pass  in     all<BR>
X</TT>You might also want to block 514/udp (syslog),  111/tcp &amp;
X111/udp (portmap), 515/tcp (lpd), 2049/tcp and 2049/udp (NFS),
X6000/tcp (X11) and so on and so forth.  You can get a complete
Xlisting of the ports being listened to by using <TT>netstat -a</TT>
X(or <TT>lsof -i</TT>, if you have it installed).<BR>
X<P>
X<P>
XBlocking UDP instead of TCP only requires replacing <TT>proto
Xtcp</TT> with <TT>proto udp</TT>.  The rule for syslog would be:<BR>
X<TT>    block in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 514<BR>
X</TT>IPF also has a shorthand way to write rules that apply to
Xboth <TT>proto tcp</TT> and <TT>proto udp</TT> at the same time,
Xsuch as portmap or NFS.  The rule for portmap would be:<BR>
X<TT>    block in log quick on tun0 proto tcp/udp from any to 20.20.20.0/24 port = 111<BR>
X</TT>
X<A NAME=TOC_18>
X<H2>
XAdvanced Firewalling Introduction
X</H2>
X</A><BR>
X<P>
X<P>
XThis section is designed as an immediate followup to the basic
Xsection.  Contained below are both concepts for advanced firewall
Xdesign, and advanced features contained only within ipfilter.
XOnce you are comfortable with this section, you should be able
Xto build a very strong firewall.<BR>
X<A NAME=TOC_19>
X<H2>
XRampant Paranoia; or The Default-Deny Stance
X</H2>
X</A><BR>
X<P>
X<P>
XThere's a big problem with blocking services by the port: sometimes
Xthey move.  RPC based programs are terrible about this, lockd,
Xstatd, even nfsd listens places other than 2049.  It's awfully
Xhard to predict, and even worse to automate adjusting all the
Xtime.  What if you miss a service? Instead of dealing with all
Xthat hassle, let's start over with a clean slate.  The current
Xruleset looks like this:<BR>
X<P>
X<P>
XYes, we really are starting over.  The first rule we're going
Xto use is this:<BR>
X<TT>    block in all<BR>
X</TT>No network traffic gets through. None. Not a peep.  You're
Xrather secure with this setup.  Not terribly useful, but quite
Xsecure.  The great thing is that it doesn't take much more to
Xmake your box rather secure, yet useful too.  Let's say the machine
Xthis is running on is a web server, nothing more, nothing less.
XIt doesn't even do DNS lookups.  It just wants to take connections
Xon 80/tcp and that's it. We can do that.  We can do that with
Xa second rule, and you already know how:<BR>
X<TT>    block in       on tun0 all<BR>
X    pass  in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 80<BR>
X</TT>This machine will pass in port 80 traffic for 20.20.20.1,
Xand deny everything else, including responses from port 80. To
Xfix this, you have to allow the response back out as well:<BR>
X<TT>    block in       on tun0 all<BR>
X    pass  in quick on tun0 proto tcp from any to 20.20.20.1/32 port = 80<BR>
X    pass  out quick on tun0 proto tcp from 20.20.20.1/32 port = 80 to any<BR>
X</TT>For basic firewalling, this is all one needs.  However, there
Xis an easier way; by using stateful rules.<BR>
X<A NAME=TOC_20>
X<H2>
XImplicit Allow; The &quot;keep state&quot; Rule
X</H2>
X</A><BR>
X<P>
X<P>
XThe job of your firewall is to prevent unwanted traffic getting
Xto point B from point A.  We have general rules which say &quot;as
Xlong as this packet is to port 23, it's okay.&quot;  We have general
Xrules which say &quot;as long as this packet has its FIN flag
Xset, it's okay.&quot;  Our firewalls don't know the beginning,
Xmiddle, or end of any TCP/UDP/ICMP session.  They merely have
Xvague rules that are applied to all packets.  We're left to hope
Xthat the packet with its FIN flag set isn't really a FIN scan,
Xmapping our services.  We hope that the packet to port 23 isn't
Xan attempted hijack of our telnet session. What if there was a
Xway to identify and authorize individual TCP/UDP/ICMP sessions
Xand distinguish them from port scanners and DoS attacks?  There
Xis a way, it's called keeping state.<BR>
X<P>
X<P>
XWe want convenience and security in one.  Lots of people do, that's
Xwhy Ciscos have an &quot;established&quot; clause that lets established
Xtcp sessions go through.  Ipfw has established.  Ipfwadm has setup/established.
XThey all have this feature, but the name is very misleading. 
XWhen we first saw it, we thought it meant our packet filter was
Xkeeping track of what was going on, that it knew if a connection
Xwas really established or not.  The fact is, they're all taking
Xthe packet's word for it from a part of the packet anybody can
Xlie about.  They read the TCP packet's flags section and there's
Xthe reason UDP/ICMP don't work with it, they have no such thing.
XAnybody who can create a packet with bogus flags can get by a
Xfirewall with this setup.<BR>
X<P>
X<P>
XWhere does IPF come in to play here, you ask?  Well, unlike the
Xother firewalls, IPF really can keep track of whether or not a
Xconnection is established.  And it'll do it with TCP, UDP and
XICMP, not just TCP.  Ipf calls it keeping state.  The keyword
Xfor the ruleset is <TT>keep state</TT>.<BR>
X<P>
X<P>
XUp until now, we've told you that packets come in, then the ruleset
Xgets checked; packets go out, then the ruleset gets checked. Actually,
Xwhat happens is packets come in, the state table gets checked,
Xthen *maybe* the inbound ruleset gets checked; packets go out,
Xthe state table gets checked, then *maybe* the outbound ruleset
Xgets checked.  The state table is a list of TCP/UDP/ICMP sessions
Xthat are unquestionadely passed through the firewall, circumventing
Xthe entire ruleset.  Sound like a serious security hole?  Hang
Xon, it's the best thing that ever happened to your firewall.<BR>
X<P>
X<P>
XAll TCP/IP sessions have a start, a middle, and an end (even though
Xthey're sometimes all in the same packet).  You can't have an
Xend without a middle and you can't have a middle without a start.
XThis means that all you really need to filter on is the beginning
Xof a TCP/UDP/ICMP session.  If the beginning of the session is
Xallowed by your firewall rules, you really want the middle and
Xend to be allowed too (lest your IP stack should overflow and
Xyour machines become useless).  Keeping state allows you to ignore
Xthe middle and end and simply focus on blocking/passing new sessions.
XIf the new session is passed, all its subsequent packets will
Xbe allowed through. If it's blocked, none of its subsequent packets
Xwill be allowed through.  Here's an example for running an ssh
Xserver (and nothing but an ssh server):<BR>
X<TT>    block out quick on tun0 all<BR>
X    pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 22 keep state<BR>
X</TT>The first thing you might notice is that there's no &quot;pass
Xout&quot; provision. In fact, there's only an all-inclusive &quot;block
Xout&quot; rule.  Despite this, the ruleset is complete.  This
Xis because by keeping state, the entire ruleset is circumvented.
XOnce the first SYN packet hits the ssh server, state is created
Xand the remainder of the ssh session is allowed to take place
Xwithout interference from the firewall.  Here's another example:<BR>
X<TT>    block in  quick on tun0 all<BR>
X    pass  out quick on tun0 proto tcp from 20.20.20.1/32 to any keep state<BR>
X</TT>In this case, the server is running no services.  Infact,
Xit's not a server, it's a client.  And this client doesn't want
Xunauthorized packets entering its IP stack at all.  However, the
Xclient wants full access to the internet and the reply packets
Xthat such privledge entails.  This simple ruleset creates state
Xentries for every new outgoing TCP session.  Again, since a state
Xentry is created, these new TCP sessions are free to talk back
Xand forth as they please without the hinderance or inspection
Xof the firewall ruleset.  We mentioned that this also works for
XUDP and ICMP:<BR>
X<TT>    block in  quick on tun0 all<BR>
X    pass  out quick on tun0 proto tcp  from 20.20.20.1/32 to any keep state<BR>
X    pass  out quick on tun0 proto udp  from 20.20.20.1/32 to any keep state<BR>
X    pass  out quick on tun0 proto icmp from 20.20.20.1/32 to any keep state<BR>
X</TT>Yes Virginia, we can ping.  Now we're keeping state on TCP,
XUDP, ICMP.  Now we can make outgoing connections as though there's
Xno firewall at all, yet would-be attackers can't get back in.
XThis is very handy because there's no need to track down what
Xports we're listening to, only the ports we want people to be
Xable to get to.<BR>
X<P>
X<P>
XState is pretty handy, but it's also a bit tricky.  You can shoot
Xyourself in the foot in strange and mysterious ways.  Consider
Xthe following ruleset:<BR>
X<TT>     pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23<BR>
X     pass  out quick on tun0 proto tcp from any to any keep state<BR>
X     block in  quick all<BR>
X     block out quick all<BR>
X</TT>At first glance, this seems to be a good setup.  We allow
Xincoming sessions to port 23, and outgoing sessions anywhere.
XNaturally packets going to port 23 will have reply packets, but
Xthe ruleset is setup in such a way that the pass out rule will
Xgenerate a state entry and everything will work perfectly.  At
Xleast, you'd think so.<BR>
X<P>
X<P>
XThe unfortunate truth is that after 60 seconds of idle time the
Xstate entry will be closed (as opposed to the normal 5 days).
XThis is because the state tracker never saw the original SYN packet
Xdestined to port 23, it only saw the SYN ACK.  IPF is very good
Xabout following TCP sessions from start to finish, but it's not
Xvery good about coming into the middle of a connection, so rewrite
Xthe rule to look like this:<BR>
X<TT>     pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 keep state<BR>
X     pass  out quick on tun0 proto tcp from any to any keep state<BR>
X     block in  quick all<BR>
X     block out quick all<BR>
X</TT>The additional of this rule will enter the very first packet
Xinto the state table and everything will work as expected.  Once
Xthe 3-way handshake has been witness by the state engine, it is
Xmarked in 4/4 mode, which means it's setup for long-term data
Xexchange until such time as the connection is torn down (wherein
Xthe mode changes again.  You can see the current modes of your
Xstate table with <TT>ipfstat -s</TT>.<BR>
X<A NAME=TOC_21>
X<H2>
XStateful UDP
X</H2>
X</A><BR>
X<P>
X<P>
XUDP is stateless so naturally it's a bit harder to do a reliable
Xjob of keeping state on it.  Nonetheless, ipf does a pretty good
Xjob.  When machine A sends a UDP packet to machine B with source
Xport X and destination port Y, ipf will allow a reply from machine
XB to machine A with source port Y and destination port X.  This
Xis a short term state entry, a mere 60 seconds.<BR>
X<P>
X<P>
XHere's an example of what happens if we use nslookup to get the
XIP address of www.3com.com:<BR>
X<TT>    $ nslookup www.3com.com<BR>
X</TT>A DNS packet is generated:<BR>
X<TT>    17:54:25.499852 20.20.20.1.2111 &gt; 198.41.0.5.53: 51979+<BR>
X</TT>The packet is from 20.20.20.1, port 2111, destined for 198.41.0.5,
Xport 53.  A 60 second state entry is created.  If a packet comes
Xback from 198.41.0.5 port 53 destined for 20.20.20.1 port 2111
Xwithin that period of time, the reply packet will be let through.
XAs you can see, milliseconds later:<BR>
X<TT>    17:54:25.501209 198.41.0.5.53 &gt; 20.20.20.1.2111: 51979 q: www.3com.com<BR>
X</TT>The reply packet matches the state criteria and is let through.
XAt that same moment that packet is let through, the state gateway
Xis closed and no new incoming packets will be allowed in, even
Xif they claim to be from the same place.<BR>
X<A NAME=TOC_22>
X<H2>
XStateful ICMP
X</H2>
X</A><BR>
X<P>
X<P>
XIPFilter handles ICMP states in the manner that one would expect
Xfrom understanding how ICMP is used with TCP and UDP, and with
Xyour understanding of how <TT>keep state</TT> works. There are
Xtwo general types of ICMP messages; requests and replies.   When
Xyou write a rule such as:<BR>
X<TT>    pass out on tun0 proto icmp from any to any icmp-type 8 keep state<BR>
X</TT>to allow outbound echo requests (a typical ping), the resultant
Xicmp-type 0 packet that comes back will be allowed in.  This state
Xentry has a default timeout of an incomplete 0/0 state of 60 seconds.
XThus, if you are keeping state on any outbound icmp message that
Xwill elicit an icmp message in reply, you need a <TT>proto icmp
X[...] keep state</TT> rule.<BR>
X<P>
X<P>
XHowever, the majority of ICMP messages are status messages generated
Xby some failure in UDP (and sometimes TCP), and in 3.4.x and greater
XIPFilters, any ICMP error status message (say <TT>icmp-type 3
Xcode 3</TT> port unreachable, or <TT>icmp-type 11</TT> time exceeded)
Xthat matches an active state table entry that could have generated
Xthat message, the ICMP packet is let in. For example, in older
XIPFilters, if you wanted traceroute to work, you needed to use:<BR>
X<TT>    pass out on tun0 proto udp from any to any port 33434&gt;&lt;33690 keep state<BR>
X    pass in on tun0 proto icmp from any to any icmp-type timex<BR>
X</TT>whereas now you can do the right thing and just keep state
Xon udp with:<BR>
X<TT>    pass out on tun0 proto udp from any to any port 33434&gt;&lt;33690 keep state<BR>
X</TT>To provide some protection against a third-party sneaking
XICMP messages through your firewall when an active connection
Xis known to be in your state table, the incoming ICMP packet is
Xchecked not only for matching source and destination addresses
X(and ports, when applicable) but a tiny part of the payload of
Xthe packet that the ICMP message is claiming it was generated
Xby.<BR>
X<A NAME=TOC_23>
X<H2>
XFIN Scan Detection; &quot;flags&quot; Keyword, &quot;keep frags&quot;
XKeyword
X</H2>
X</A><BR>
XLet's go back to the 4 rule set from the previous section:<BR>
X<TT>    pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 keep state<BR>
X    pass  out quick on tun0 proto tcp from any to any keep state<BR>
X    block in  quick all<BR>
X    block out quick all<BR>
X</TT>This is almost, but not quite, satisfactory.  The problem
Xis that it's not just SYN packets that're allowed to go to port
X23, any old packet can get through.  We can change this by using
Xthe <TT>flags</TT> option:<BR>
X<TT>    pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state<BR>
X    pass  out quick on tun0 proto tcp from any to any flags S keep state<BR>
X    block in  quick all<BR>
X    block out quick all<BR>
X</TT>Now only TCP packets, destined for 20.20.20.1, at port 23,
Xwith a lone SYN flag will be allowed in and entered into the state
Xtable.  A lone SYN flag is only present as the very first packet
Xin a TCP session (called the TCP handshake) and that's really
Xwhat we wanted all along. There's at least two advantages to this:
XNo arbitrary packets can come in and make a mess of your state
Xtable.  Also, FIN and XMAS scans will fail since they set flags
Xother than the SYN flag.[[dagger]] [[footnote: [[dagger]] Some
Xexamples use <TT>flags S/SA</TT> instead of <TT>flags S</TT>.
X<TT>flags S</TT> actually equates to <TT>flags S/AUPRFS</TT> and
Xmatches against only the SYN packet out of all six possible flags,
Xwhile <TT>flags S/SA</TT> will allow packets that may or may not
Xhave the URG, PSH, FIN, or RST flags set.  Some protocols demand
Xthe URG or PSH flags, and <TT>S/SAFR</TT> would be a better choice
Xfor these, however we feel that it is less secure to blindly use
X<TT>S/SA</TT> when it isn't required.  But it's your firewall.
X]] Now all incoming packets must either be handshakes or have
Xstate already.  If anything else comes in, it's probably a port
Xscan or a forged packet.  There's one exception to that, which
Xis when a packet comes in that's fragmented from its journey.
XIPF has provisions for this as well, the <TT>keep frags</TT> keyword.
XWith it, IPF will notice and keep track of packets that are fragmented,
Xallowing the expected fragments to to go through.  Let's rewrite
Xthe 3 rules to log forgeries and allow fragments:<BR>
X<TT>    pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 23 flags S keep state keep frags<BR>
X    pass  out quick on tun0 proto tcp from any to any keep state flags S keep frags<BR>
X    block in  log quick all<BR>
X    block out log quick all<BR>
X</TT>This works because every packet that should be allowed through
Xmakes it into the state table before the blocking rules are reached.
XThe only scan this won't detect is a SYN scan itself.  If you're
Xtruely worried about that, you might even want to log all initial
XSYN packets.<BR>
X<A NAME=TOC_24>
X<H2>
XResponding To a Blocked Packet
X</H2>
X</A><BR>
X<P>
X<P>
XSo far, all of our blocked packets have been dumped on the floor,
Xlogged or not, we've never sent anything back to the originating
Xhost.  Sometimes this isn't the most desirable of responses because
Xin doing so, we actually tell the attacker that a packet filter
Xis present.  It seems a far better thing to misguide the attacker
Xinto believing that, while there's no packet filter running, there's
Xlikewise no services to break into.  This is where fancier blocking
Xcomes into play.<BR>
X<P>
X<P>
XWhen a service isn't running on a Unix system, it normally lets
Xthe remote host know with some sort of return packet.  In TCP,
Xthis is done with an RST (Reset) packet.  When blocking a TCP
Xpacket, IPF can actually return an RST to the origin by using
Xthe <TT>return-rst</TT> keyword.<BR>
XWhere once we did:<BR>
X<TT>    block in log on tun0 proto tcp from any to 20.20.20.0/24 port = 23<BR>
X    pass  in     all<BR>
X</TT>We might now do:<BR>
X<TT>    block return-rst in log proto tcp from any to 20.20.20.0/24 port = 23<BR>
X    block in log quick on tun0<BR>
X    pass  in     all<BR>
X</TT>We need two <TT>block</TT> statements since <TT>return-rst</TT>
Xonly works with TCP, and we still want to block protocols such
Xas UDP, ICMP, and others.  Now that this is done, the remote side
Xwill get &quot;connection refused&quot; instead of &quot;connection
Xtimed out&quot;.<BR>
X<P>
X<P>
XIt's also possible to send an error message when somebody sends
Xa packet to a UDP port on your system.  Whereas once you might
Xhave used:<BR>
X<TT>    block in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 111<BR>
X</TT>You could instead use the <TT>return-icmp</TT> keyword to
Xsend a reply:<BR>
X<TT>    block return-icmp(port-unr) in log quick on tun0 proto udp from any to 20.20.20.0/24 port = 111<BR>
X</TT>According to <I>TCP/IP Illustrated</I>, port-unreachable
Xis the correct ICMP type to return when no service is listening
Xon the port in question.  You can use any ICMP type you like,
Xbut port-unreachable is probably your best bet. It's also the
Xdefault ICMP type for <TT>return-icmp</TT>.<BR>
X<P>
X<P>
XHowever, when using <TT>return-icmp</TT>, you'll notice that it's
Xnot very stealthy, and it returns the ICMP packet with the IP
Xaddress of the firewall, not the original destination of the packet.
XThis was fixed in ipfilter 3.3, and a new keyword; <TT>return-icmp-as-dest</TT>,
Xhas been added.   The new format is:<BR>
X<TT>     block return-icmp-as-dest(port-unr) in log on tun0 proto udp from any to 20.20.20.0/24 port = 111<BR>
X</TT>Additionally, you should be careful to use response packets
Xonly in situations where you understand ahead of time what it
Xis that you're responding to.  For example, if you happened to
Xreturn-icmp to a local network broadcast address, you would end
Xup flooding your network in short order.[[dagger]] [[footnote:
X[[dagger]] This is especially true in a DHCP/BOOTP environment
Xsuch as a typical consumer broadband connection where you run
Xthe risk of &quot;attacking&quot; your own ISP's DHCP server.
XThey won't appreciate it. ]]<BR>
X<A NAME=TOC_25>
X<H2>
XFancy Logging Techniques
X</H2>
X</A><BR>
X<P>
X<P>
XIt is important to note that the presence of the <TT>log</TT>
Xkeyword only ensures that the packet will be available to the
Xipfilter logging device; <TT>/dev/ipl</TT>.   In order to actually
Xsee this log information, one must be running the <TT>ipmon</TT>
Xutility (or some other utility that reads from <TT>/dev/ipl</TT>).
XThe typical usage of <TT>log</TT> is coupled with <TT>ipmon -s</TT>
Xto log the information to syslog.  As of ipfilter 3.3, one can
Xnow even control the logging behavior of syslog by using <TT>log
Xlevel</TT> keywords, as in rules such as this:<BR>
X<TT>     block in log level auth.info quick on tun0 from 20.20.20.0/24 to any<BR>
X     block in log level auth.alert quick on tun0 proto tcp from any to 20.20.20.0/24 port = 21<BR>
X</TT>In addition to this, you can tailor what information is being
Xlogged. For example, you may not be interested that someone attempted
Xto probe your telnet port 500 times, but you are interested that
Xthey probed you once.  You can use the <TT>log first</TT> keyword
Xto only log the first example of a packet.  Of course, the notion
Xof &quot;first-ness&quot; only applies to packets in a specific
Xsession, and for the typical blocked packet, you will be hard
Xpressed to encounter situations where this does what you expect.
XHowever, if used in conjunction with <TT>pass</TT> and <TT>keep
Xstate</TT>, this can be a valuable keyword for keeping tabs on
Xtraffic.<BR>
X<P>
X<P>
XAnother useful thing you can do with the logs is to keep track
Xof interesting pieces of the packet in addition to the header
Xinformation normally being logged.  Ipfilter will give you the
Xfirst 128 bytes of the packet if you use the <TT>log body</TT>
Xkeyword.  You should limit the use of body logging, as it makes
Xyour logs very verbose, but for certain applications, it is often
Xhandy to be able to go back and take a look at the packet, or
Xto send this data to another application that can examine it further.<BR>
X<A NAME=TOC_26>
X<H2>
XPutting It All Together
X</H2>
X</A><BR>
X<P>
X<P>
XSo now we have a pretty tight firewall, but it can still be tighter.
XSome of the original ruleset we wiped clean is actually very useful.
XI'd suggest bringing back all the anti-spoofing stuff.  This leaves
Xus with:<BR>
X<TT>    block in           on tun0<BR>
X    block in     quick on tun0 from 192.168.0.0/16 to any<BR>
X    block in     quick on tun0 from 172.16.0.0/12 to any<BR>
X    block in     quick on tun0 from 10.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 127.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 0.0.0.0/8 to any<BR>
X    block in     quick on tun0 from 169.254.0.0/16 to any<BR>
X    block in     quick on tun0 from 192.0.2.0/24 to any<BR>
X    block in     quick on tun0 from 204.152.64.0/23 to any<BR>
X    block in     quick on tun0 from 224.0.0.0/3 to any<BR>
X    block in log quick on tun0 from 20.20.20.0/24 to any<BR>
X    block in log quick on tun0 from any to 20.20.20.0/32<BR>
X    block in log quick on tun0 from any to 20.20.20.255/32<BR>
X    pass  out quick on tun0 proto tcp/udp from 20.20.20.1/32 to any keep state<BR>
X    pass  out quick on tun0 proto icmp    from 20.20.20.1/32 to any keep state<BR>
X    pass  in  quick on tun0 proto tcp from any to 20.20.20.1/32 port = 80 flags S keep state<BR>
X</TT>
X<A NAME=TOC_27>
X<H2>
XImproving Performance With Rule Groups
X</H2>
X</A><BR>
X<P>
X<P>
XLet's extend our use of our firewall by creating a much more complicated,
Xand we hope more applicable to the real world, example configuration
XFor this example, we're going to change the interface names, and
Xnetwork numbers.  Let's assume that we have three interfaces in
Xour firewall with interfaces <TT>xl0</TT>, <TT>xl1</TT>, and <TT>xl2</TT>.<BR>
X<TT>xl0 is connected to our external network 20.20.20.0/26<BR>
Xxl1 is connected to our &quot;DMZ&quot; network 20.20.20.64/26<BR>
Xxl2 is connected to our protected network 20.20.20.128/25<BR>
X</TT>We'll define the entire ruleset in one swoop, since we figure
Xthat you can read these rules by now:<BR>
X<TT>    block in     quick on xl0 from 192.168.0.0/16 to any<BR>
X    block in     quick on xl0 from 172.16.0.0/12 to any<BR>
X    block in     quick on xl0 from 10.0.0.0/8 to any<BR>
X    block in     quick on xl0 from 127.0.0.0/8 to any<BR>
X    block in     quick on xl0 from 0.0.0.0/8 to any<BR>
X    block in     quick on xl0 from 169.254.0.0/16 to any<BR>
X    block in     quick on xl0 from 192.0.2.0/24 to any<BR>
X    block in     quick on xl0 from 204.152.64.0/23 to any<BR>
X    block in     quick on xl0 from 224.0.0.0/3 to any<BR>
X    block in log quick on xl0 from 20.20.20.0/24 to any<BR>
X    block in log quick on xl0 from any to 20.20.20.0/32<BR>
X    block in log quick on xl0 from any to 20.20.20.63/32<BR>
X    block in log quick on xl0 from any to 20.20.20.64/32<BR>
X    block in log quick on xl0 from any to 20.20.20.127/32<BR>
X    block in log quick on xl0 from any to 20.20.20.128/32<BR>
X    block in log quick on xl0 from any to 20.20.20.255/32<BR>
X    pass out on xl0 all<BR>
X    pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state<BR>
X    pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state<BR>
X    pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state<BR>
X    pass out quick on xl1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state<BR>
X    pass out quick on xl1 proto udp from any to 20.20.20.65/32 port = 53 keep state<BR>
X    pass out quick on xl1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state<BR>
X    pass out quick on xl1 proto udp from any to 20.20.20.66/32 port = 53 keep state<BR>
X    block out on xl1 all<BR>
X    pass in quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep state<BR>
X    block out on xl2 all<BR>
X    pass in quick on xl2 proto tcp/udp from 20.20.20.128/25 to any keep state<BR>
X</TT>From this arbitarary example, we can already see that our
Xruleset is becoming unwieldy.   To make matters worse, as we add
Xmore specific rules to our DMZ network, we add additional tests
Xthat must be parsed for every packet, which affects the performance
Xof the <TT>xl0</TT> &lt;-&gt; <TT>xl2</TT> connections.  If you
Xset up a firewall with a ruleset like this, and you have lots
Xof bandwidth and a moderate amount of cpu, everyone that has a
Xworkstation on the <TT>xl2</TT> network is going to come looking
Xfor your head to place on a platter.  So, to keep your head &lt;-&gt;
Xtorso network intact, you can speed things along by creating rule
Xgroups.   Rule groups allow you to write your ruleset in a tree
Xfashion, instead of as a linear list, so that if your packet has
Xnothing to do with the set of tests (say, all those <TT>xl1</TT>
Xrules) those rules will never be consulted.  It's somewhat like
Xhaving multiple firewalls all on the same machine.<BR>
XHere's a simple example to get us started:<BR>
X<TT>    block out quick on xl1 all head 10<BR>
X    pass out quick proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10<BR>
X    block out on xl2 all<BR>
X</TT>In this simplistic example, we can see a small hint of the
Xpower of the rule group.  If the packet is not destined for <TT>xl1</TT>,
Xthe <TT>head</TT> of rule <TT>group 10</TT> will not match, and
Xwe will go on with our tests.  If the packet does match for <TT>xl1</TT>,
Xthe <TT>quick</TT> keyword will short-circuit all further processing
Xat the root level (rule group 0), and focus the testing on rules
Xwhich belong to <TT>group 10</TT>; namely, the SYN check for 80/tcp.
XIn this way, we can re-write the above rules so that we can maximize
Xperformance of our firewall.<BR>
X<TT>    block in quick on xl0 all head 1<BR>
X      block in     quick on xl0 from 192.168.0.0/16 to any  group 1<BR>
X      block in     quick on xl0 from 172.16.0.0/12 to any   group 1<BR>
X      block in     quick on xl0 from 10.0.0.0/8 to any      group 1<BR>
X      block in     quick on xl0 from 127.0.0.0/8 to any     group 1<BR>
X      block in     quick on xl0 from 0.0.0.0/8 to any       group 1<BR>
X      block in     quick on xl0 from 169.254.0.0/16 to any  group 1<BR>
X      block in     quick on xl0 from 192.0.2.0/24 to any    group 1<BR>
X      block in     quick on xl0 from 204.152.64.0/23 to any group 1<BR>
X      block in     quick on xl0 from 224.0.0.0/3 to any     group 1<BR>
X      block in log quick on xl0 from 20.20.20.0/24 to any   group 1<BR>
X      block in log quick on xl0 from any to 20.20.20.0/32   group 1<BR>
X      block in log quick on xl0 from any to 20.20.20.63/32  group 1<BR>
X      block in log quick on xl0 from any to 20.20.20.64/32  group 1<BR>
X      block in log quick on xl0 from any to 20.20.20.127/32 group 1<BR>
X      block in log quick on xl0 from any to 20.20.20.128/32 group 1<BR>
X      block in log quick on xl0 from any to 20.20.20.255/32 group 1<BR>
X      pass  in           on xl0 all group 1<BR>
X    pass out on xl0 all<BR>
X    block out quick on xl1 all head 10<BR>
X      pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 80 flags S keep state group 10<BR>
X      pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 21 flags S keep state group 10<BR>
X      pass out quick on xl1 proto tcp from any to 20.20.20.64/26 port = 20 flags S keep state group 10<BR>
X      pass out quick on xl1 proto tcp from any to 20.20.20.65/32 port = 53 flags S keep state group 10<BR>
X      pass out quick on xl1 proto udp from any to 20.20.20.65/32 port = 53         keep state group 10<BR>
X      pass out quick on xl1 proto tcp from any to 20.20.20.66/32 port = 53 flags S keep state<BR>
X      pass out quick on xl1 proto udp from any to 20.20.20.66/32 port = 53         keep state group 10<BR>
X    pass in quick on xl1 proto tcp/udp from 20.20.20.64/26 to any keep state<BR>
X    block out on xl2 all<BR>
X    pass in quick on xl2 proto tcp/udp from 20.20.20.128/25 to any keep state<BR>
X</TT>Now you can see the rule groups in action.  For a host on
Xthe <TT>xl2</TT> network, we can completely bypass all the checks
Xin <TT>group 10</TT> when we're not communicating with hosts on
Xthat network.<BR>
X<P>
X<P>
XDepending on your situation, it may be prudent to group your rules
Xby protocol, or various machines, or netblocks, or whatever makes
Xit flow smoothly.<BR>
X<A NAME=TOC_28>
X<H2>
X&quot;Fastroute&quot;; The Keyword of Stealthiness
X</H2>
X</A><BR>
X<P>
X<P>
XEven though we're forwarding some packets, and blocking other
Xpackets, we're typically behaving like a well behaved router should
Xby decrementing the TTL on the packet and acknowledging to the
Xentire world that yes, there is a hop here.  But we can hide our
Xpresence from inquisitive applications like unix traceroute which
Xuses UDP packets with various TTL values to map the hops between
Xtwo sites.  If we want incoming traceroutes to work, but we do
Xnot want to announce the presence of our firewall as a hop, we
Xcan do so with a rule like this:<BR>
X<TT>    block in quick on xl0 fastroute proto udp from any to any port 33434 &gt;&lt; 33465<BR>
X</TT>The presence of the <TT>fastroute</TT> keyword will signal
Xipfilter to not pass the packet into the Unix IP stack for routing
Xwhich results in a TTL decrement.  The packet will be placed gently
Xon the output interface by ipfilter itself and no such decrement
Xwill happen.  Ipfilter will of course use the system's routing
Xtable to figure out what the appropriate output interface really
Xis, but it will take care of the actual task of routing itself.<BR>
X<P>
X<P>
XThere's a reason we used <TT>block quick</TT> in our example,
Xtoo.  If we had used <TT>pass</TT>, and if we had IP Forwarding
Xenabled in our kernel, we would end up having two paths for a
Xpacket to come out of, and we would probably panic our kernel.<BR>
X<P>
X<P>
XIt should be noted, however, that most Unix kernels (and certainly
Xthe ones underlying the systems that ipfilter usually runs on)
Xhave far more efficient routing code than what exists in ipfilter,
Xand this keyword should not be thought of as a way to improve
Xthe operating speed of your firewall, and should only be used
Xin places where stealth is an issue.<BR>
X<A NAME=TOC_29>
X<H2>
XNAT and Proxies
X</H2>
X</A><BR>
X<P>
X<P>
XOutside of the corporate environment, one of the biggest enticements
Xof firewall technology to the end user is the ability to connect
Xseveral computers through a common external interface, often without
Xthe approval, knowledge, or even consent of their service provider.
XTo those familiar with Linux, this concept is called <I>IP Masquerading</I>,
Xbut to the rest of the world it is known by the more obscure name
Xof <I>Network Address Translation,</I> or NAT for short.[[dagger]]
X[[footnote: [[dagger]] To be pedantic, what IPFilter provides
Xis really called NPAT, for Network and Port Address Translation,
Xwhich means we can change any of the source and destination IP
XAddresses and their source and destination ports. <I>True NAT</I>
Xonly allows one to change the addresses. ]]<BR>
X<A NAME=TOC_30>
X<H2>
XMapping Many Addresses Into One Address
X</H2>
X</A><BR>
X<P>
X<P>
XThe basic use of NAT accomplishes much the same thing that Linux's
XIP Masquerading function does, and it does it with one simple
Xrule:<BR>
X<TT>    map tun0 192.168.1.0/24 -&gt; 20.20.20.1/32<BR>
X</TT>Very simple.  Whenever a packet goes out the <TT>tun0</TT>
Xinterface with a source address matching the CIDR network mask
Xof 192.168.1.0/24 [[dagger]][[dagger]] this packet will be rewritten
Xwithin the IP stack such that its source address is 20.20.20.1,
Xand it will be sent on to its original destination.   The system
Xalso keeps a list of what translated connections are in progress
Xso that it can perform the reverse and remap the response (which
Xwill be directed to 20.20.20.1) to the internal host that really
Xgenerated the packet. [[footnote: [[dagger]][[dagger]] This is
Xa typical internal address space, since it's non-routable on the
XReal Internet it is often used for internal networks.   You should
Xstill block these packets coming in from the outside world as
Xdiscussed earlier. ]]<BR>
X<P>
X<P>
XThere is a drawback to the rule we have just written, though.
XIn a large number of cases, we do not happen to know what the
XIP address of our outside link is (if we're using <TT>tun0</TT>
Xor <TT>ppp0</TT> and a typical ISP) so it makes setting up our
XNAT tables a chore.   Luckily, NAT is smart enough to accept an
Xaddress of 0/32 as a signal that it needs to go look at what the
Xaddress of that interface really is and we can rewrite our rule
Xas follows:<BR>
X<TT>    map tun0 192.168.1.0/24 -&gt; 0/32<BR>
X</TT>Now we can load our <TT>ipnat</TT> rules with impunity and
Xconnect to the outside world without having to edit anything.
XYou do have to run <TT>ipf -y</TT> to refresh the address if you
Xget disconnected and redial or if your DHCP lease changes, though.[[dagger]][[dagger]][[dagger]]
X[[footnote: [[dagger]][[dagger]][[dagger]] Typically you'd do
Xthis in your network interface setup scripts for your ppp client,
Xbut that is well beyond the scope of this document. ]]<BR>
X<P>
X<P>
XSome of you may be wondering what happens to the source port when
Xthe mapping happens.  With our current rule, the packet's source
Xport is unchanged from the original source port.  There can be
Xinstances where we do not desire this behavior; maybe we have
Xanother firewall further upstream we have to pass through, or
Xperhaps many hosts are trying to use the same source port, causing
Xa collision where the rule doesn't match and the packet is passed
Xuntranslated.  ipnat helps us here with the <TT>portmap</TT> keyword:<BR>
X<TT>    map tun0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp 20000:30000<BR>
X</TT>Our rule now shoehorns all the translated connections (which
Xcan be <TT>tcp</TT>, <TT>udp</TT>, or <TT>tcp/udp</TT>) into the
Xport range of 20000 to 30000.<BR>
X<P>
X<P>
XAdditionally, we can make our lives even easier by using the <TT>auto</TT>
Xkeyword to tell ipnat to determine for itself which ports are
Xavailable for use, and allocate a proportional amount of them
Xper address in your pool versus addresses being natted:<BR>
X<TT>    map tun0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp auto<BR>
X</TT>Keep in mind that these <TT>portmap</TT> rules only apply
Xto the protocols that you have specified (e.g.: tcp, udp, or tcp/udp),
Xand do not apply to other protocols like ICMP or IPSec ESP/AH.
XFor these, you need to have an additonal <TT>map</TT> statement
Xthat applies to all other protocols:<BR>
X<TT>    map tun0 192.168.1.0/24 -&gt; 0/32 portmap tcp/udp 20000:30000<BR>
X    map tun0 192.168.1.0/24 -&gt; 0/32<BR>
X</TT>
X<A NAME=TOC_31>
X<H2>
XMapping Many Addresses Into a Pool of Addresses
X</H2>
X</A><BR>
X<P>
X<P>
XAnother use common use of NAT is to take a small statically allocated
Xblock of addresses and map many computers into this smaller address
Xspace.   This is easy to accomplish using what you already know
Xabout the <TT>map</TT> and <TT>portmap</TT> keywords by writing
Xa rule like so:<BR>
X<TT>    map tun0 192.168.0.0/16 -&gt; 20.20.20.0/24 portmap tcp/udp 20000:60000<BR>
X</TT>Also, there may be instances where a remote application requires
Xthat multiple connections all come from the same IP address. We
Xcan help with these situations by telling NAT to statically map
Xsessions from a host into the pool of addresses and work some
Xmagic to choose a port. This uses a the keyword <TT>map-block</TT>
Xas follows:<BR>
X<TT>    map-block tun0 192.168.1.0/24 -&gt; 20.20.20.0/24<BR>
X</TT>As with <TT>map</TT>, <TT>map-block</TT> has it's own version
Xof <TT>portmap</TT>. This is accomplished with either the <TT>auto</TT>
Xkeyword:<BR>
X<TT>    map-block tun0 192.168.1.0/24 -&gt; 20.20.20.0/24 auto<BR>
X</TT>or the <TT>ports</TT> keyword, if you want to specify your
Xown number of ports belonging to each ip address:<BR>
X<TT>    map-block tun0 192.168.1.0/24 -&gt; 20.20.20.0/24 ports 64<BR>
X</TT>
X<A NAME=TOC_32>
X<H2>
XOne to One Mappings
X</H2>
X</A><BR>
X<P>
X<P>
XOccasionally it is desirable to have a system with one IP address
Xbehind the firewall to appear to have a completely different IP
Xaddress.  One example of how this would work would be a lab of
Xcomputers which are then attached to various networks that are
Xto be put under some kind of test. In this example, you would
Xnot want to have to reconfigure the entire lab when you could
Xplace a NAT system in front and change the addresses in one simple
Xplace.   We can do that with the <TT>bimap</TT> keyword, for bidirectional
Xmapping.    <TT>Bimap</TT> has some additional protections on
Xit to ensure a known state for the connection, whereas the <TT>map</TT>
Xkeyword is designed to allocate an address and a source port and
Xrewrite the packet and go on with life.<BR>
X<TT>      bimap tun0 192.168.1.1/32 -&gt; 20.20.20.1/32<BR>
X</TT>will accomplish the mapping for one host.<BR>
X<A NAME=TOC_33>
X<H2>
XPolicy NAT
X</H2>
X</A><BR>
X<P>
X<P>
XQuite often, we will find ourselves in need of having NAT behave
Xdifferently based on which source and destination addresses are
Xbeing used.    For example, we might want to always NAT unless
Xwe are speaking with a specific subnet:<BR>
X<TT>    map tun0 from 192.168.1.0/24 ! to 5.0.0.0/20 -&gt; 20.20.20.1/32<BR>
X</TT>We might also want to do something like the following:<BR>
X<TT>    map tun0 from 192.168.1.5/32 port = 5555 to 1.2.3.4/32 -&gt; 20.20.20.2/32<BR>
X    map tun0 from 192.168.1.0/24 to 5.0.0.0/20 -&gt; 20.20.20.2/32 portmap auto<BR>
X</TT>
X<A NAME=TOC_34>
X<H2>
XSpoofing Services
X</H2>
X</A><BR>
X<P>
X<P>
XSpoofing services?  What does that have to do with anything? 
XPlenty. Let's pretend that we have a web server running on 20.20.20.5,
Xand since we've gotten increasingly suspicious of our network
Xsecurity, we desire to not run this server on port 80 since that
Xrequires a brief lifespan as the root user.   But how do we run
Xit on a less privledged port of 8000 in this world of &quot;anything
Xdot com&quot;?  How will anyone find our server? We can use the
Xredirection facilities of NAT to solve this problem by instructing
Xit to remap any connections destined for 20.20.20.5:80 to really
Xpoint to 20.20.20.5:8000.   This uses the <TT>rdr</TT> keyword:<BR>
X<TT>      rdr tun0 20.20.20.5/32 port 80 -&gt; 192.168.0.5 port 8000<BR>
X</TT>We can also specify the protocol here, if we wanted to redirect
Xa UDP service, instead of a TCP service (which is the default).
XFor example, if we had a honeypot on our firewall to impersonate
Xthe popular Back Orifice for Windows, we could shovel our entire
Xnetwork into this one place with a simple rule:<BR>
X<TT>        rdr tun0 20.20.20.0/24 port 31337 -&gt; 127.0.0.1 port 31337 udp<BR>
X</TT>We can also alter <TT>rdr</TT>'s behavior based on the source
Xand destination addresses:<BR>
X<TT>    rdr tun0 from 10.1.1.1/32 to 20.20.20.5/32 port = 80 -&gt; 192.168.0.5 port 8001<BR>
X    rdr tun0 from 10.1.1.1/32 port = 12345 to 20.20.20.5/32 port = 80 -&gt; 192.168.0.5 port 8002<BR>
X</TT>An extremely important point must be made about <TT>rdr</TT>:
XYou cannot easily[[dagger]] use this feature as a &quot;reflector&quot;.
XE.g:<BR>
X<TT> rdr tun0 20.20.20.5/32 port 80 -&gt; 20.20.20.6 port 80 tcp<BR>
X</TT>will not work in the situation where .5 and .6 are on the
Xsame LAN segment. [[footnote: [[dagger]] Yes. There is a way to
Xdo this.  It's so convoluted that I refuse to use it, though.
XSmart people who require this functionality will transparently
Xredirect into something like TIS plug-gw on 127.0.0.1. Stupid
Xpeople will set up a dummy loop interface pair and double rewrite.
X]] The <TT>rdr</TT> function is applied to packets that enter
Xthe firewall on the specified interface.  When a packet comes
Xin that matches a <TT>rdr</TT> rule, its destination address is
Xthen rewritten, it is pushed into <TT>ipf</TT> for filtering,
Xand should it successfully run the gauntlet of filter rules, it
Xis then sent to the unix routing code.  Since this packet is still
X<I>inbound</I> on the same interface that it will need to leave
Xthe system on to reach a host, the system gets confused.  Reflectors
Xdon't work.  Neither does specifying the address of the interface
Xthe packet just came in on.  Always remember that <TT>rdr</TT>
Xdestinations must exit out of the firewall host on a different
Xinterface. [[dagger]][[dagger]] [[footnote: [[dagger]][[dagger]]
XThis includes 127.0.0.1, by the way.  That's on lo0.  Neat, huh?
X]]<BR>
X<A NAME=TOC_35>
X<H2>
XTransparent Proxy Support; Redirection Made Useful
X</H2>
X</A><BR>
X<P>
X<P>
XSince you're installing a firewall, you may have decided that
Xit is prudent to use a proxy for many of your outgoing connections
Xso that you can further tighten your filter rules protecting your
Xinternal network, or you may have run into a situation that the
XNAT mapping process does not currently handle properly.   This
Xcan also be accomplished with a redirection statement:<BR>
X<TT>        rdr xl0 0.0.0.0/0 port 21 -&gt; 127.0.0.1 port 21<BR>
X</TT>This statement says that any packet coming in on the <TT>xl0</TT>
Xinterface destined for any address (0.0.0.0/0) on the ftp port
Xshould be rewritten to connect it with a proxy that is running
Xon the NAT system on port 21.<BR>
X<P>
X<P>
XThis specific example of FTP proxying does lead to some complications
Xwhen used with web browsers or other automatic-login type clients
Xthat are unaware of the requirements of communicating with the
Xproxy.  There are patches for <I>TIS Firewall Toolkit's</I><TT>ftp-gw</TT>
Xto mate it with the nat process so that it can determine where
Xyou were trying to go and automatically send you there.  Many
Xproxy packages now work in a transparent proxy environment (Squid
Xfor example, located at <I>http://squid.nlanr.net</I>, works fine.)<BR>
X<P>
X<P>
XThis application of the <TT>rdr</TT> keyword is often more useful
Xwhen you wish to force users to authenticate themselves with the
Xproxy. (For example, you desire your engineers to be able to surf
Xthe web, but you would rather not have your call-center staff
Xdoing so.)<BR>
X<A NAME=TOC_36>
X<H2>
XFiltering Redirected Services
X</H2>
X</A><BR>
X<P>
X<P>
XQuite a lot of users will want to combine both filtering and address
Xtranslation in order to provide a service to only known hosts
Xbehind their NAT system.  For example, to provide a web server
Xbehind your machine 20.20.20.5 (which is really 192.168.0.5 on
Xyour inside network) for your friend over on 172.16.8.2, you would
Xwrite the following in ipnat.rules:<BR>
X<TT> rdr tun0 20.20.20.5/32 port 80 -&gt; 192.168.0.5 port 8000<BR>
X</TT>and the following in ipf.rules:<BR>
X<TT> pass in on tun0 proto tcp from 172.16.8.2/32 to 192.168.0.5/32 port = 8000 flags S keep state<BR>
X</TT>That might look a little strange at first glance, but that's
Xbecause the NAT stage happens first, and the packet's destination
Xaddress and port is rewritten before it is processed by the filter
Xcode.<BR>
X<A NAME=TOC_37>
X<H2>
XMagic Hidden Within NAT; Application Proxies
X</H2>
X</A><BR>
X<P>
X<P>
XSince <TT>ipnat</TT> provides a method to rewrite packets as they
Xtraverse the firewall, it becomes a convenient place to build
Xin some application level proxies to make up for well known deficiencies
Xof that application and typical firewalls.  For example; FTP.
XWe can make our firewall pay attention to the packets going across
Xit and when it notices that it's dealing with an Active FTP session,
Xit can write itself some temporary rules, much like what happens
Xwith <TT>keep state</TT>, so that the FTP data connection works.
XTo do this, we use a rule like so:<BR>
X<TT>   map tun0 192.168.1.0/24 -&gt; 20.20.20.1/32 proxy port ftp ftp/tcp<BR>
X</TT>You must always remember to place this <TT>proxy rule</TT>
X<B>before</B> any <TT>portmap</TT> rules, otherwise when <TT>portmap</TT>
Xcomes along and matches the packet and rewrites it before the
Xproxy gets a chance to work on it. Remember that ipnat rules are
Xfirst-match.<BR>
X<P>
X<P>
XThere also exist proxies for &quot;rcmd&quot; (which we suspect
Xis berkeley r-* commands which should be forbidden anyway, thus
Xwe haven't looked at what this proxy does) and &quot;raudio&quot;
Xfor Real Audio PNM streams.  Likewise, both of these rules should
Xbe put before any <TT>portmap</TT> rules, if you're doing NAT.<BR>
X<A NAME=TOC_38>
X<H2>
XMore Magic; Using NAT As a Load Balancer
X</H2>
X</A><BR>
X<P>
X<P>
XSince <TT>ipnat</TT> is already rewriting packets for us, we can
Xuse it to support one of the simpler features of those expensive
Xload-balancing systems and assign sessions to multiple destination
Xaddresses.  This is accomplished using the <TT>round-robin</TT>
Xkeyword:<BR>
X<TT>   rdr tun0 20.20.20.5/32 port 80 -&gt; 192.168.0.5, 192.168.0.6, 192.168.0.7 port 8000<BR>
X</TT>
X<A NAME=TOC_39>
X<H2>
XLoading and Manipulating Filter Rules; The ipf Utility
X</H2>
X</A><BR>
X<P>
X<P>
XIP Filter rules are loaded by using the <TT>ipf</TT> utility.
XThe filter rules can be stored in any file on the system, but
Xtypically these rules are stored in <TT>/etc/ipf.rules</TT>, <TT>/usr/local/etc/ipf.rules</TT>,
Xor <TT>/etc/opt/ipf/ipf.rules</TT>.<BR>
X<P>
X<P>
XIP Filter has two sets of rules, the <I>active set</I> and the
X<I>inactive set</I>.  By default, all operations are performed
Xon the active set.  You can manipulate the inactive set by adding
X<TT>-I</TT> to the <TT>ipf</TT> command line.   The two sets can
Xbe toggled by using the <TT>-s</TT> command line option.  This
Xis very useful for testing new rule sets without wiping out the
Xold rule set.<BR>
X<P>
X<P>
XRules can also be removed from the list instead of added by using
Xthe <TT>-r</TT> command line option, but it is generally a safer
Xidea to flush the rule set that you're working on with <TT>-F</TT>
Xand completely reload it when making changes.<BR>
X<P>
X<P>
XIn summary, the easiest way to load a rule set is <TT>ipf -Fa
X-f /etc/ipf.rules</TT>. For more complicated manipulations of
Xthe rule set, please see the <TT>ipf(1)</TT> man page.<BR>
X<A NAME=TOC_40>
X<H2>
XLoading and Manipulating NAT Rules; The ipnat Utility
X</H2>
X</A><BR>
X<P>
X<P>
XNAT rules are loaded by using the <TT>ipnat</TT> utility.  The
XNAT rules can be stored in any file on the system, but typically
Xthese rules are stored in <TT>/etc/ipnat.rules</TT>, <TT>/usr/local/etc/ipnat.rules</TT>,
Xor <TT>/etc/opt/ipf/ipnat.rules</TT>.<BR>
X<P>
X<P>
XRules can also be removed from the list instead of added by using
Xthe <TT>-r</TT> command line option, but it is generally a safer
Xidea to flush the rule set that you're working on with <TT>-C</TT>
Xand completely reload it when making changes.  Any active mappings
Xare not affected by <TT>-C</TT>, and can be removed with <TT>-F</TT>.<BR>
X<P>
X<P>
XNAT rules and active mappings can be examined with the <TT>-l</TT>
Xcommand line option.<BR>
X<P>
X<P>
XIn summary, the easiest way to load a NAT rule set is <TT>ipnat
X-CF -f /etc/ipnat.rules</TT>.<BR>
X<A NAME=TOC_41>
X<H2>
XMonitoring and Debugging
X</H2>
X</A><BR>
X<P>
X<P>
XThere will come a time when you are interested in what your firewall
Xis actually doing, and ipfilter would be incomplete if it didn't
Xhave a full suite of status monitoring tools.<BR>
X<A NAME=TOC_42>
X<H2>
XThe ipfstat utility
X</H2>
X</A><BR>
X<P>
X<P>
XIn its simplest form, <TT>ipfstat</TT> displays a table of interesting
Xdata about how your firewall is performing, such as how many packets
Xhave been passed or blocked, if they were logged or not, how many
Xstate entries have been made, and so on.  Here's an example of
Xsomething you might see from running the tool:<BR>
X<TT>    # ipfstat<BR>
X     input packets:         blocked 99286 passed 1255609 nomatch 14686 counted 0<BR>
X    output packets:         blocked 4200 passed 1284345 nomatch 14687 counted 0<BR>
X     input packets logged:  blocked 99286 passed 0<BR>
X    output packets logged:  blocked 0 passed 0<BR>
X     packets logged:        input 0 output 0<BR>
X     log failures:          input 3898 output 0<BR>
X    fragment state(in):     kept 0  lost 0<BR>
X    fragment state(out):    kept 0  lost 0<BR>
X    packet state(in):       kept 169364     lost 0<BR>
X    packet state(out):      kept 431395     lost 0<BR>
X    ICMP replies:   0       TCP RSTs sent:  0<BR>
X    Result cache hits(in):  1215208 (out):  1098963<BR>
X    IN Pullups succeeded:   2       failed: 0<BR>
X    OUT Pullups succeeded:  0       failed: 0<BR>
X    Fastroute successes:    0       failures:       0<BR>
X    TCP cksum fails(in):    0       (out):  0<BR>
X    Packet log flags set: (0)<BR>
X            none<BR>
X</TT><TT>ipfstat</TT> is also capable of showing you your current
Xrule list.  Using the <TT>-i</TT> or the <TT>-o</TT> flag will
Xshow the currently loaded rules for in or out, respectively. 
XAdding a <TT>-h</TT> to this will provide more useful information
Xat the same time by showing you a &quot;hit count&quot; on each
Xrule. For example:<BR>
X<TT>    # ipfstat -ho<BR>
X    2451423 pass out on xl0 from any to any<BR>
X    354727 block out on ppp0 from any to any<BR>
X    430918 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags<BR>
X</TT>From this, we can see that perhaps there's something abnormal
Xgoing on, since we've got a lot of blocked packets outbound, even
Xwith a very permissive <TT>pass out</TT> rule.  Something here
Xmay warrant further investigation,  or it may be functioning perfectly
Xby design.  ipfstat can't tell you if your rules are right or
Xwrong, it can only tell you what is happening because of your
Xrules.<BR>
XTo further debug your rules, you may want to use the <TT>-n</TT>
Xflag, which will show the rule number next to each rule.<BR>
X<TT>    # ipfstat -on<BR>
X    @1 pass out on xl0 from any to any<BR>
X    @2 block out on ppp0 from any to any<BR>
X    @3 pass out quick on ppp0 proto tcp/udp from 20.20.20.0/24 to any keep state keep frags<BR>
X</TT>The final piece of really interesting information that <TT>ipfstat</TT>
Xcan provide us is a dump of the state table.  This is done with
Xthe <TT>-s</TT> flag:<BR>
X<TT>    # ipfstat -s<BR>
X            281458 TCP<BR>
X            319349 UDP<BR>
X            0 ICMP<BR>
X            19780145 hits<BR>
X            5723648 misses<BR>
X            0 maximum<BR>
X            0 no memory<BR>
X            1 active<BR>
X            319349 expired<BR>
X            281419 closed<BR>
X    100.100.100.1 -&gt; 20.20.20.1 ttl 864000 pass 20490 pr 6 state 4/4<BR>
X            pkts 196 bytes 17394    987 -&gt; 22 585538471:2213225493 16592:16500<BR>
X            pass in log quick keep state<BR>
X            pkt_flags &amp; b = 2,              pkt_options &amp; ffffffff = 0<BR>
X            pkt_security &amp; ffff = 0, pkt_auth &amp; ffff = 0<BR>
X</TT>Here we see that we have one state entry for a TCP connection.
XThe output will vary slightly from version to version, but the
Xbasic information is the same.  We can see in this connection
Xthat we have a fully established connection (represented by the
X4/4 state.  Other states are incomplete and will be documented
Xfully later.)  We can see that the state entry has a time to live
Xof 240 hours, which is an absurdly long time, but is the default
Xfor an established TCP connection.   This TTL counter is decremented
Xevery second that the state entry is not used, and will finally
Xresult in the connection being purged if it has been left idle.
XThe TTL is also reset to 864000 whenever the state IS used, ensuring
Xthat the entry will not time out while it is being actively used.
XWe can also see that we have passed 196 packets consisting of
Xabout 17kB worth of data over this connection.  We can see the
Xports for both endpoints, in this case 987 and 22; which means
Xthat this state entry represents a connection from 100.100.100.1
Xport 987 to 20.20.20.1 port 22.   The really big numbers in the
Xsecond line are the TCP sequence numbers for this connection,
Xwhich helps to ensure that someone isn't easily able to inject
Xa forged packet into your session.  The TCP window is also shown.
XThe third line is a synopsis of the implicit rule that was generated
Xby the <TT>keep state</TT> code, showing that this connection
Xis an inbound connection.<BR>
X<A NAME=TOC_43>
X<H2>
XThe ipmon utility
X</H2>
X</A><BR>
X<P>
X<P>
X<TT>ipfstat</TT> is great for collecting snapshots of what's going
Xon on the system, but it's often handy to have some kind of log
Xto look at and watch events as they happen in time.   <TT>ipmon</TT>
Xis this tool.  <TT>ipmon</TT> is capable of watching the packet
Xlog (as created with the <TT>log</TT> keyword in your rules),
Xthe state log, or the nat log, or any combination of the three.
XThis tool can either be run in the foreground, or as a daemon
Xwhich logs to syslog or a file.  If we wanted to watch the state
Xtable in action, <TT>ipmon -o S</TT> would show this:<BR>
X<TT>    # ipmon -o S<BR>
X    01/08/1999 15:58:57.836053 STATE:NEW 100.100.100.1,53 -&gt; 20.20.20.15,53 PR udp<BR>
X    01/08/1999 15:58:58.030815 STATE:NEW 20.20.20.15,123 -&gt; 128.167.1.69,123 PR udp<BR>
X    01/08/1999 15:59:18.032174 STATE:NEW 20.20.20.15,123 -&gt; 128.173.14.71,123 PR udp<BR>
X    01/08/1999 15:59:24.570107 STATE:EXPIRE 100.100.100.1,53 -&gt; 20.20.20.15,53 PR udp Pkts 4 Bytes 356<BR>
X    01/08/1999 16:03:51.754867 STATE:NEW 20.20.20.13,1019 -&gt; 100.100.100.10,22 PR tcp<BR>
X    01/08/1999 16:04:03.070127 STATE:EXPIRE 20.20.20.13,1019 -&gt; 100.100.100.10,22 PR tcp Pkts 63 Bytes 4604<BR>
X</TT>Here we see a state entry for an external dns request off
Xour nameserver, two xntp pings to well-known time servers, and
Xa very short lived outbound ssh connection.<BR>
X<P>
X<P>
X<TT>ipmon</TT> is also capable of showing us what packets have
Xbeen logged.  For example, when using state, you'll often run
Xinto packets like this:<BR>
X<TT>    # ipmon -o I<BR>
X    15:57:33.803147 ppp0 @0:2 b 100.100.100.103,443 -&gt; 20.20.20.10,4923 PR tcp len 20 1488 -A<BR>
X</TT>What does this mean?   The first field is obvious, it's a
Xtimestamp.  The second field is also pretty obvious, it's the
Xinterface that this event happened on.  The third field <TT>@0:2</TT>
Xis something most people miss. This is the rule that caused the
Xevent to happen.  Remember <TT>ipfstat -in</TT>?  If you wanted
Xto know where this came from, you could look there for rule 2
Xin rule group 0.  The fourth field, the little &quot;b&quot; says
Xthat this packet was blocked, and you'll generally ignore this
Xunless you're logging passed packets as well, which would be a
Xlittle &quot;p&quot; instead. The fifth and sixth fields are pretty
Xself-explanatory, they say where this packet came from and where
Xit was going. The seventh (&quot;PR&quot;) and eighth fields tell
Xyou the protocol and the ninth field tells you the size of the
Xpacket. The last part, the &quot;-A&quot; in this case, tells
Xyou the flags that were on the packet;  This one was an ACK packet.
XWhy did I mention state earlier?   Due to the often laggy nature
Xof the Internet, sometimes packets will be regenerated.  Sometimes,
Xyou'll get two copies of the same packet, and your state rule
Xwhich keeps track of sequence numbers will have already seen this
Xpacket, so it will assume that the packet is part of a different
Xconnection.   Eventually this packet will run into a real rule
Xand have to be dealt with.   You'll often see the last packet
Xof a session being closed get logged because the <TT>keep state</TT>
Xcode has already torn down the connection before the last packet
Xhas had a chance to make it to your firewall.  This is normal,
Xdo not be alarmed. [[dagger]] [[footnote: [[dagger]] For a technical
Xpresentation of the IP Filter stateful inspection engine, please
Xsee the white paper <I>Real Stateful TCP Packet Filtering in IP
XFilter</I>, by Guido van Rooij.  This paper may be found at <I>&lt;http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz&gt;</I>;
X]] Another example packet that might be logged:<BR>
X<TT>    12:46:12.470951 xl0 @0:1 S 20.20.20.254 -&gt; 255.255.255.255 PR icmp len 20 9216 icmp 9/0<BR>
X</TT>This is a ICMP router discovery broadcast.  We can tell by
Xthe ICMP type 9/0.<BR>
XFinally, <TT>ipmon</TT> also lets us look at the NAT table in
Xaction.<BR>
X<TT>    # ipmon -o N<BR>
X    01/08/1999 05:30:02.466114 @2 NAT:RDR 20.20.20.253,113 &lt;- -&gt; 20.20.20.253,113 [100.100.100.13,45816]<BR>
X    01/08/1999 05:30:31.990037 @2 NAT:EXPIRE 20.20.20.253,113 &lt;- -&gt; 20.20.20.253,113 [100.100.100.13,45816] Pkts 10 Bytes 455<BR>
X</TT>This would be a redirection to an identd that lies to provide
Xident service for the hosts behind our NAT, since they are typically
Xunable to provide this service for themselves with ordinary natting.<BR>
X<B>0. Specific Applications of IP Filter - Things that don't fit,
Xbut should be mentioned anyway.<BR>
X</B>
X<A NAME=TOC_44>
X<H2>
XKeep State With Servers and Flags.
X</H2>
X</A><BR>
X<P>
X<P>
XKeeping state is a good thing, but it's quite easy to make a mistake
Xin the direction that you want to <TT>keep state</TT> in.   Generally,
Xyou want to have a <TT>keep state</TT> keyword on the first rule
Xthat interacts with a packet for the connection. One common mistake
Xthat is made when mixing state tracking with filtering on flags
Xis this:<BR>
X<TT>     block in all<BR>
X     pass in quick proto tcp from any to 20.20.20.20/32 port = 23 flags S<BR>
X     pass out all keep state<BR>
X</TT>That certainly appears to allow a connection to be created
Xto the telnet server on 20.20.20.20, and the replies to go back.
XIf you try using this rule, you'll see that it does work--Momentarily.
XSince we're filtering for the SYN flag, the state entry never
Xfully gets completed, and the default time to live for an incomplete
Xstate is 60 seconds.<BR>
XWe can solve this by rewriting the rules in one of two ways:<BR>
X<CENTER>
X1)<BR>
X</CENTER>
X<TT>     block in all<BR>
X     pass in quick proto tcp from any to 20.20.20.20/32 port = 23 keep state<BR>
X     block out all<BR>
X</TT>or:<BR>
X<CENTER>
X2)<BR>
X</CENTER>
X<TT>     block in all<BR>
X     pass in quick proto tcp from any to 20.20.20.20/32 port = 23 flags S keep state<BR>
X     pass out all keep state<BR>
X</TT>Either of these sets of rules will result in a fully established
Xstate entry for a connection to your server.<BR>
X<A NAME=TOC_45>
X<H2>
XCoping With FTP
X</H2>
X</A><BR>
X<P>
X<P>
XFTP is one of those protocols that you just have to sit back and
Xask &quot;What the heck were they thinking?&quot;  FTP has many
Xproblems that the firewall administrator needs to deal with. 
XWhat's worse, the problems the administrator must face are different
Xbetween making ftp clients work and making ftp servers work.<BR>
X<P>
X<P>
XWithin the FTP protocol, there are two forms of data transfer,
Xcalled active and passive.  Active transfers are those where the
Xserver connects to an open port on the client to send data.  Conversely,
Xpassive transfers are those where the client connects to the server
Xto receive data.<BR>
X<A NAME=TOC_46>
X<H2>
XRunning an FTP Server
X</H2>
X</A><BR>
X<P>
X<P>
XIn running an FTP server, handling Active FTP sessions is easy
Xto setup. At the same time, handling Passive FTP sessions is a
Xbig problem.  First we'll cover how to handle Active FTP, then
Xmove on to Passive.  Generally, we can handle Active FTP sessions
Xlike we would an incoming HTTP or SMTP connection; just open the
Xftp port and let <TT>keep state</TT> do the rest:<BR>
X<TT>     pass in quick proto tcp from any to 20.20.20.20/32 port = 21 flags S keep state<BR>
X     pass out proto tcp all keep state<BR>
X</TT>These rules will allow Active FTP sessions, the most common
Xtype, to your ftp server on 20.20.20.20.<BR>
X<P>
X<P>
XThe next challenge becomes handling Passive FTP connections. 
XWeb browsers default to this mode, so it's becoming quite popular
Xand as such it should be supported.  The problem with passive
Xconnections are that for every passive connection, the server
Xstarts listening on a new port (usually above 1023).  This is
Xessentially like creating a new unknown service on the server.
XAssuming we have a good firewall with a default-deny policy, that
Xnew service will be blocked, and thus Passive FTP sessions are
Xbroken. Don't despair!  There's hope yet to be had.<BR>
X<P>
X<P>
XA person's first inclination to solving this problem might be
Xto just open up all ports above 1023.  In truth, this will work:<BR>
X<TT>     pass in quick proto tcp from any to 20.20.20.20/32 port &gt; 1023 flags S keep state<BR>
X     pass out proto tcp all keep state<BR>
X</TT>This is somewhat unsatisfactory, though.  By letting everything
Xabove 1023 in, we actually open ourselves up for a number of potential
Xproblems.  While 1-1023 is the designated area for server services
Xto run, numerous programs decided to use numbers higher than 1023,
Xsuch as nfsd and X.<BR>
X<P>
X<P>
XThe good news is that your FTP server gets to decide which ports
Xget assigned to passive sessions.  This means that instead of
Xopening all ports above 1023, you can allocate ports 15001-19999
Xas ftp ports and only open that range of your firewall up.  In
Xwu-ftpd, this is done with the <TT>passive ports</TT> option in
X<TT>ftpaccess</TT>. Please see the man page on <TT>ftpaccess</TT>
Xfor details in wu-ftpd configuration.  On the ipfilter side, all
Xwe need do is setup corresponding rules:<BR>
X<TT>     pass in quick proto tcp from any to 20.20.20.20/32 port 15000 &gt;&lt; 20000 flags S keep state<BR>
X     pass out proto tcp all keep state<BR>
X</TT>If even this solution doesn't satisfy you, you can always
Xhack IPF support into your FTP server, or FTP server support into
XIPF.<BR>
X<A NAME=TOC_47>
X<H2>
XRunning an FTP Client
X</H2>
X</A><BR>
X<P>
X<P>
XWhile FTP server support is still less than perfect in IPF, FTP
Xclient support has been working well since 3.3.3.  As with FTP
Xservers, there are two types of ftp client transfers: passive
Xand active.<BR>
X<P>
X<P>
XThe simplest type of client transfer from the firewall's standpoint
Xis the passive transfer.  Assuming you're keeping state on all
Xoutbound tcp sessions, passive transfers will work already.  If
Xyou're not doing this already, please consider the following:<BR>
X<TT>    pass out proto tcp all keep state<BR>
X</TT>The second type of client transfer, active, is a bit more
Xtroublesome, but nonetheless a solved problem.  Active transfers
Xcause the server to open up a second connection back to the client
Xfor data to flow through.  This is normally a problem when there's
Xa firewall in the middle, stopping outside connections from coming
Xback in.  To solve this, ipfilter includes an <TT>ipnat</TT> proxy
Xwhich temporarily opens up a hole in the firewall just for the
XFTP server to get back to the client.  Even if you're not using
X<TT>ipnat</TT> to do nat, the proxy is still effective.  The following
Xrules is the bare minimum to add to the <TT>ipnat</TT> configuration
Xfile (<TT>ep0</TT> should be the interface name of the outbound
Xnetwork connection):<BR>
X<TT>     map ep0 0/0 -&gt; 0/32 proxy port 21 ftp/tcp<BR>
X</TT>For more details on ipfilter's internal proxies, see section
X3.6. Additionally, IPF's ftp proxy does work the &quot;wrong way&quot;,
Xand can be used to support a natted FTP server, but you <I>really</I>
Xdon't want to do this for security reasons.  Really.  This is
Xa huge security hole. See http://www.false.net/ipfilter/2001_11/0273.html
Xfor reasons why you should forget you ever thought about this.<BR>
X<A NAME=TOC_48>
X<H2>
XAssorted Kernel Variables
X</H2>
X</A><BR>
X<P>
X<P>
XThere are some useful kernel tunes that either need to be set
Xfor ipf to function, or are just generally handy to know about
Xfor building firewalls.  The first major one you must set is to
Xenable IP Forwarding, otherwise ipf will do very little, as the
Xunderlying ip stack won't actually route packets.<BR>
XIP Forwarding:<BR>
X<CENTER>
Xopenbsd:<BR>
X</CENTER>
Xnet.inet.ip.forwarding=1<BR>
X<CENTER>
Xfreebsd:<BR>
X</CENTER>
Xnet.inet.ip.forwarding=1<BR>
X<CENTER>
Xnetbsd:<BR>
X</CENTER>
Xnet.inet.ip.forwarding=1<BR>
X<CENTER>
Xsolaris:<BR>
X</CENTER>
Xndd -set /dev/ip ip_forwarding 1<BR>
XEphemeral Port Adjustment:<BR>
X<CENTER>
Xopenbsd:<BR>
X</CENTER>
Xnet.inet.ip.portfirst = 25000<BR>
X<CENTER>
Xfreebsd:<BR>
X</CENTER>
Xnet.inet.ip.portrange.first = 25000 net.inet.ip.portrange.last
X= 49151<BR>
X<CENTER>
Xnetbsd:<BR>
X</CENTER>
Xnet.inet.ip.anonportmin = 25000 net.inet.ip.anonportmax = 49151<BR>
X<CENTER>
Xsolaris:<BR>
X</CENTER>
Xndd -set /dev/tcp tcp_smallest_anon_port 25000<BR>
Xndd -set /dev/tcp tcp_largest_anon_port 65535<BR>
XOther Useful Values:<BR>
X<CENTER>
Xopenbsd:<BR>
X</CENTER>
Xnet.inet.ip.sourceroute = 0<BR>
Xnet.inet.ip.directed-broadcast = 0<BR>
X<CENTER>
Xfreebsd:<BR>
X</CENTER>
Xnet.inet.ip.sourceroute=0<BR>
Xnet.ip.accept_sourceroute=0<BR>
X<CENTER>
Xnetbsd:<BR>
X</CENTER>
Xnet.inet.ip.allowsrcrt=0<BR>
Xnet.inet.ip.forwsrcrt=0<BR>
Xnet.inet.ip.directed-broadcast=0<BR>
Xnet.inet.ip.redirect=0<BR>
X<CENTER>
Xsolaris:<BR>
X</CENTER>
Xndd -set /dev/ip ip_forward_directed_broadcasts 0<BR>
Xndd -set /dev/ip ip_forward_src_routed 0<BR>
Xndd -set /dev/ip ip_respond_to_echo_broadcast 0<BR>
XIn addition, freebsd has some ipf specific sysctl variables.<BR>
X<TT> net.inet.ipf.fr_flags: 0<BR>
X net.inet.ipf.fr_pass: 514<BR>
X net.inet.ipf.fr_active: 0<BR>
X net.inet.ipf.fr_tcpidletimeout: 864000<BR>
X net.inet.ipf.fr_tcpclosewait: 60<BR>
X net.inet.ipf.fr_tcplastack: 20<BR>
X net.inet.ipf.fr_tcptimeout: 120<BR>
X net.inet.ipf.fr_tcpclosed: 1<BR>
X net.inet.ipf.fr_udptimeout: 120<BR>
X net.inet.ipf.fr_icmptimeout: 120<BR>
X net.inet.ipf.fr_defnatage: 1200<BR>
X net.inet.ipf.fr_ipfrttl: 120<BR>
X net.inet.ipf.ipl_unreach: 13<BR>
X net.inet.ipf.ipl_inited: 1<BR>
X net.inet.ipf.fr_authsize: 32<BR>
X net.inet.ipf.fr_authused: 0<BR>
X net.inet.ipf.fr_defaultauthage: 600<BR>
X</TT>
X<A NAME=TOC_49>
X<H2>
XFun with ipf!
X</H2>
X</A><BR>
X<P>
X<P>
XThis section doesn't necessarily teach you anything new about
Xipf, but it may raise an issue or two that you haven't yet thought
Xup on your own, or tickle your brain in a way that you invent
Xsomething interesting that we haven't thought of.<BR>
X<A NAME=TOC_50>
X<H2>
XLocalhost Filtering
X</H2>
X</A><BR>
X<P>
X<P>
XA long time ago at a university far, far away, Wietse Venema created
Xthe tcp-wrapper package, and ever since, it's been used to add
Xa layer of protection to network services all over the world.
XThis is good.  But, tcp-wrappers have flaws.  For starters, they
Xonly protect TCP services, as the name suggests.   Also, unless
Xyou run your service from inetd, or you have specifically compiled
Xit with libwrap and the appropriate hooks, your service isn't
Xprotected.    This leaves gigantic holes in your host security.
XWe can plug these up by using ipf on the local host. For example,
Xmy laptop often gets plugged into or dialed into networks that
XI don't specifically trust, and so, I use the following rule set:<BR>
X<TT>     pass in quick on lo0 all<BR>
X     pass out quick on lo0 all<BR>
X     block in log all<BR>
X     block out all<BR>
X     pass in quick proto tcp from any to any port = 113 flags S keep state<BR>
X     pass in quick proto tcp from any to any port = 22 flags S keep state<BR>
X     pass in quick proto tcp from any port = 20 to any port 39999 &gt;&lt; 45000 flags S keep state<BR>
X     pass out quick proto icmp from any to any keep state<BR>
X     pass out quick proto tcp/udp from any to any keep state keep frags<BR>
X</TT>It's been like that for quite a while, and I haven't suffered
Xany pain or anguish as a result of having ipf loaded up all the
Xtime.  If I wanted to tighten it up more, I could switch to using
Xthe NAT ftp proxy and I could add in some rules to prevent spoofing.
XBut even as it stands now, this box is far more restrictive about
Xwhat it presents to the local network and beyond than the typical
Xhost does.   This is a good thing if you happen to run a machine
Xthat allows a lot of users on it, and you want to make sure  one
Xof them doesn't happen to start up a service they wern't supposed
Xto.  It won't stop a malicious hacker with root access from adjusting
Xyour ipf rules and starting a service anyway, but it will keep
Xthe &quot;honest&quot; folks honest, and your weird services safe,
Xcozy and warm even on a malicious LAN.  A big win, in my opinion.
XUsing local host filtering in addition to a somewhat less-restrictive
X&quot;main firewall&quot; machine can solve many performance issues
Xas well as <I>political</I> nightmares like &quot;Why doesn't
XICQ work?&quot; and &quot;Why can't I put a web server on my own
Xworkstation! It's MY WORKSTATION!!&quot; Another very big win.
XWho says you can't have security and convienence at the same time?<BR>
X<A NAME=TOC_51>
X<H2>
XWhat Firewall?  Transparent filtering.
X</H2>
X</A><BR>
X<P>
X<P>
XOne major concern in setting up a firewall is the integrity of
Xthe firewall itself.  Can somebody break into your firewall, thereby
Xsubverting its ruleset?  This is a common problem administrators
Xmust face, particularly when they're using firewall solutions
Xon top of their Unix/NT machines.  Some use it as an arguement
Xfor blackbox hardware solutions, under the flawed notion that
Xinherent obscurity of their closed system increases their security.
XWe have a better way.<BR>
X<P>
X<P>
XMany network admins are familiar with the common ethernet bridge.
XThis is a device that connects two separate ethernet segments
Xto make them one.  An ethernet bridge is typically used to connect
Xseparate buildings, switch network speeds, and extend maximum
Xwire lengths.  Hubs and switches are common bridges, sometimes
Xthey're just 2 ported devices called repeaters.  Recent versions
Xof Linux, OpenBSD, NetBSD, and FreeBSD include code to convert
X$1000 PCs into $10 bridges, too!  What all bridges tend to have
Xin common is that though they sit in the middle of a connection
Xbetween two machines, the two machines don't know the bridge is
Xthere.  Enter ipfilter and OpenBSD.<BR>
X<P>
X<P>
XEthernet bridging takes place at Layer2 on the ISO stack.  IP
Xtakes place on Layer3.  IP Filter in primarily concerned with
XLayer3, but dabbles in Layer2 by working with interfaces.  By
Xmixing IP filter with OpenBSD's bridge device, we can create a
Xfirewall that is both invisible and unreachable.  The system needs
Xno IP address, it doesn't even need to reveal its ethernet address.
XThe only telltale sign that the filter might be there is that
Xlatency is somewhat higher than a piece of cat5 would normally
Xmake it, and that packets don't seem to make it to their final
Xdestination.<BR>
X<P>
X<P>
XThe setup for this sort of ruleset is surprisingly simple, too.
XIn OpenBSD, the first bridge device is named <TT>bridge0</TT>.
XSay we have two ethernet cards in our machine as well, <TT>xl0</TT>
Xand <TT>xl1</TT>. To turn this machine into a bridge, all one
Xneed do is enter the following three commands:<BR>
X<TT>    brconfig bridge0 add xl0 add xl1 up<BR>
X    ifconfig xl0 up<BR>
X    ifconfig xl1 up<BR>
X</TT>At ths point, all traffic ariving on <TT>xl0</TT> is sent
Xout <TT>xl1</TT> and all traffic on <TT>xl1</TT> is sent out <TT>xl0</TT>.
XYou'll note that neither interface has been assigned an IP address,
Xnor do we need assign one.  All things considered, it's likely
Xbest we not add one at all.<BR>
X<P>
X<P>
XRulesets behave essentially the as the always have.  Though there
Xis a <TT>bridge0</TT> interface, we don't filter based on it.
XRules continue to be based upon the particular interface we're
Xusing, making it important which network cable is plugged into
Xwhich network card in the back of the machine.  Let's start with
Xsome basic filtering to illistrate what's happened.  Assume the
Xnetwork used to look like this:<BR>
X<TT>  20.20.20.1 &lt;---------------------------------&gt; 20.20.20.0/24 network hub<BR>
X</TT>That is, we have a router at 20.20.20.1 connected to the
X20.20.20.0/24 network.  All packets from the 20.20.20.0/24 network
Xgo through 20.20.20.1 to get to the outside world and vice versa.
XNow we add the Ipf Bridge:<BR>
X<TT>  20.20.20.1 &lt;-------/xl0 IpfBridge xl1/-------&gt; 20.20.20.0/24 network hub<BR>
X</TT>We also have the following ruleset loaded on the IpfBridge
Xhost:<BR>
X<TT>    pass in  quick  all<BR>
X    pass out quick  all<BR>
X</TT>With this ruleset loaded, the network is functionally identical.
XAs far as the 20.20.20.1 router is concerned, and as far as the
X20.20.20.0/24 hosts are concerned, the two network diagrams are
Xidentical.  Now let's change the ruleset some:<BR>
X<TT>    block in quick on xl0 proto icmp<BR>
X    pass  in  quick all<BR>
X    pass  out quick all<BR>
X</TT>Still, 20.20.20.1 and 20.20.20.0/24 think the network is
Xidentical, but if 20.20.20.1 attempts to ping 20.20.20.2, it will
Xnever get a reply.  What's more, 20.20.20.2 won't even get the
Xpacket in the first place.  IPfilter will intercept the packet
Xbefore it even gets to the other end of the virtual wire.  We
Xcan put a bridged filter anywhere.  Using this method we can shrink
Xthe network trust circle down an individual host level (given
Xenough ethernet cards:-)<BR>
X<P>
X<P>
XBlocking icmp from the world seems kind of silly, especially if
Xyou're a sysadmin and like pinging the world, to traceroute, or
Xto resize your MTU.  Let's construct a better ruleset and take
Xadvantage of the original key feature of ipf: stateful inspection.<BR>
X<TT>    pass  in quick on xl1 proto tcp  keep state<BR>
X    pass  in quick on xl1 proto udp  keep state<BR>
X    pass  in quick on xl1 proto icmp keep state<BR>
X    block in quick on xl0<BR>
X</TT>In this situation, the 20.20.20.0/24 network (perhaps more
Xaptly called the <TT>xl1</TT> network) can now reach the outside
Xworld, but the outside world can't reach it, and it can't figure
Xout why, either. The router is accessible, the hosts are active,
Xbut the outside world just can't get in.  Even if the router itself
Xwere compromised, the firewall would still be active and successful.<BR>
X<P>
X<P>
XSo far, we've been filtering by interface and protocol only. Even
Xthough bridging is concerned layer2, we can still discriminate
Xbased on IP address.  Normally we have a few services running,
Xso our ruleset may look like this:<BR>
X<TT>    pass  in quick on xl1 proto tcp  keep state<BR>
X    pass  in quick on xl1 proto udp  keep state<BR>
X    pass  in quick on xl1 proto icmp keep state<BR>
X    block in quick on xl1 # nuh-uh, we're only passing tcp/udp/icmp sir.<BR>
X    pass  in quick on xl0 proto udp from any to 20.20.20.2/32 port=53 keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.2/32 port=53 flags S keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.3/32 port=25 flags S keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.7/32 port=80 flags S keep state<BR>
X    block in quick on xl0<BR>
X</TT>Now we have a network where 20.20.20.2 is a zone serving
Xname server, 20.20.20.3 is an incoming mail server, and 20.20.20.7
Xis a web server.<BR>
X<P>
X<P>
XBridged IP Filter is not yet perfect, we must confess.<BR>
X<P>
X<P>
XFirst,  You'll note that all the rules are setup using the <TT>in</TT>
Xdirection instead of a combination of <TT>in</TT> and <TT>out</TT>.
XThis is because the <TT>out</TT> direction is presently unimplemented
Xwith bridging in OpenBSD.  This was originally done to prevent
Xvast performance drops using multiple interfaces.  Work has been
Xdone in speeding it up, but it remains unimplemented.  If you
Xreally want this feature, you might try your hand at working on
Xthe code or asking the OpenBSD people how you can help.<BR>
X<P>
X<P>
XSecond, using IP Filter with bridging makes the use of IPF's NAT
Xfeatures inadvisable, if not downright dangerous.  The first problem
Xis that it would give away that there's a filtering bridge.  The
Xsecond problem would be that the bridge has no IP address to masquerade
Xwith, which will most assuredly lead to confusion and perhaps
Xa kernel panic to boot.  You can, of course, put an IP address
Xon the outbound interface to make NAT work, but part of the glee
Xof bridging is thus diminished.<BR>
X<A NAME=TOC_52>
X<H2>
XUsing Transparent Filtering to Fix Network Design Mistakes
X</H2>
X</A><BR>
X<P>
X<P>
XMany organizations started using IP well before they thought a
Xfirewall or a subnet would be a good idea.  Now they have class-C
Xsized networks or larger that include all their servers, their
Xworkstations, their routers, coffee makers, everything.  The horror!
XRenumbering with proper subnets, trust levels, filters, and so
Xare in both time consuming and expensive.  The expense in hardware
Xand man hours alone is enough to make most organizations unwilling
Xto really solve the problem, not to mention the downtime involved.
XThe typical problem network looks like this:<BR>
X<TT>    20.20.20.1   router               20.20.20.6   unix server<BR>
X    20.20.20.2   unix server          20.20.20.7   nt workstation<BR>
X    20.20.20.3   unix server          20.20.20.8   nt server<BR>
X    20.20.20.4   win98 workstation    20.20.20.9   unix workstation<BR>
X    20.20.20.5   intelligent switch   20.20.20.10  win95 workstation<BR>
X</TT>Only it's about 20 times larger and messier and frequently
Xundocumented.  Ideally, you'd have all the trusting servers in
Xone subnet, all the work- stations in another, and the network
Xswitches in a third.  Then the router would filter packets between
Xthe subnets, giving the workstations limited access to the servers,
Xnothing access to the switches, and only the sysadmin's workstation
Xaccess to the coffee pot.  I've never seen a class-C sized network
Xwith such coherence.  IP Filter can help.<BR>
X<P>
X<P>
XTo start with, we're going to separate the router, the workstations,
Xand the servers.  To do this we're going to need 2 hubs (or switches)
Xwhich we probably already have, and an IPF machine with 3 ethernet
Xcards.  We're going to put all the servers on one hub and all
Xthe workstations on the other.  Normally we'd then connect the
Xhubs to each other, then to the router.  Instead, we're going
Xto plug the router into IPF's <TT>xl0</TT> interface, the servers
Xinto IPF's <TT>xl1</TT> interface, and the workstations into IPF's
X<TT>xl2</TT> interface. Our network diagram looks something like
Xthis:<BR>
X<TT>                                                 | 20.20.20.2  unix server<BR>
X    router (20.20.20.1)              ____________| 20.20.20.3  unix server<BR>
X     |                              /            | 20.20.20.6  unix server<BR>
X     |                             /xl1          | 20.20.20.7  nt server<BR>
X     ------------/xl0 IPF Bridge &lt;<BR>
X                                   &#160;xl2         | 20.20.20.4  win98 workstation<BR>
X                                    ____________| 20.20.20.8  nt workstation<BR>
X                                                 | 20.20.20.9  unix workstation<BR>
X                                                 | 20.20.20.10 win95 workstation<BR>
X</TT>Where once there was nothing but interconnecting wires, now
Xthere's a filtering bridge that not a single host needs to be
Xmodified to take advantage of.  Presumably we've already enabled
Xbridging so the network is behaving perfectly normally.  Further,
Xwe're starting off with a ruleset much like our last ruleset:<BR>
X<TT>    pass  in quick on xl0 proto udp from any to 20.20.20.2/32 port=53 keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.2/32 port=53 flags S keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.3/32 port=25 flags S keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.7/32 port=80 flags S keep state<BR>
X    block in quick on xl0<BR>
X    pass  in quick on xl1 proto tcp  keep state<BR>
X    pass  in quick on xl1 proto udp  keep state<BR>
X    pass  in quick on xl1 proto icmp keep state<BR>
X    block in quick on xl1 # nuh-uh, we're only passing tcp/udp/icmp sir.<BR>
X    pass  in quick on xl2 proto tcp  keep state<BR>
X    pass  in quick on xl2 proto udp  keep state<BR>
X    pass  in quick on xl2 proto icmp keep state<BR>
X    block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.<BR>
X</TT>Once again, traffic coming from the router is restricted
Xto DNS, SMTP, and HTTP.  At the moment, the servers and the workstations
Xcan exchange traffic freely.  Depending on what kind of organization
Xyou are, there might be something about this network dynamic you
Xdon't like.  Perhaps you don't want your workstations getting
Xaccess to your servers at all?  Take the <TT>xl2</TT> ruleset
Xof:<BR>
X<TT>    pass  in quick on xl2 proto tcp  keep state<BR>
X    pass  in quick on xl2 proto udp  keep state<BR>
X    pass  in quick on xl2 proto icmp keep state<BR>
X    block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.<BR>
X</TT>And change it to:<BR>
X<TT>    block in quick on xl2 from any to 20.20.20.0/24<BR>
X    pass  in quick on xl2 proto tcp  keep state<BR>
X    pass  in quick on xl2 proto udp  keep state<BR>
X    pass  in quick on xl2 proto icmp keep state<BR>
X    block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.<BR>
X</TT>Perhaps you want them to just get to the servers to get and
Xsend their mail with IMAP?  Easily done:<BR>
X<TT>    pass  in quick on xl2 proto tcp from any to 20.20.20.3/32 port=25<BR>
X    pass  in quick on xl2 proto tcp from any to 20.20.20.3/32 port=143<BR>
X    block in quick on xl2 from any to 20.20.20.0/24<BR>
X    pass  in quick on xl2 proto tcp  keep state<BR>
X    pass  in quick on xl2 proto udp  keep state<BR>
X    pass  in quick on xl2 proto icmp keep state<BR>
X    block in quick on xl2 # nuh-uh, we're only passing tcp/udp/icmp sir.<BR>
X</TT>Now your workstations and servers are protected from the
Xoutside world, and the servers are protected from your workstations.<BR>
X<P>
X<P>
XPerhaps the opposite is true, maybe you want your workstations
Xto be able to get to the servers, but not the outside world. After
Xall, the next generation of exploits is breaking the clients,
Xnot the servers.  In this case, you'd change the <TT>xl2</TT>
Xrules to look more like this:<BR>
X<TT>    pass  in quick on xl2 from any to 20.20.20.0/24<BR>
X    block in quick on xl2<BR>
X</TT>Now the servers have free reign, but the clients can only
Xconnect to the servers.  We might want to batten down the hatches
Xon the servers, too:<BR>
X<TT>    pass  in quick on xl1 from any to 20.20.20.0/24<BR>
X    block in quick on xl1<BR>
X</TT>With the combination of these two, the clients and servers
Xcan talk to each other, but neither can access the outside world
X(though the outside world can get to the few services from earlier).
XThe whole ruleset would look something like this:<BR>
X<TT>    pass  in quick on xl0 proto udp from any to 20.20.20.2/32 port=53 keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.2/32 port=53                                                              flags S keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.3/32 port=25                                                              flags S keep state<BR>
X    pass  in quick on xl0 proto tcp from any to 20.20.20.7/32 port=80                                                              flags S keep state<BR>
X    block in quick on xl0<BR>
X    pass  in quick on xl1 from any to 20.20.20.0/24<BR>
X    block in quick on xl1<BR>
X    pass  in quick on xl2 from any to 20.20.20.0/24<BR>
X    block in quick on xl2<BR>
X</TT>So remember, when your network is a mess of twisty IP addresses
Xand machine classes, transparent filtered bridges can solve a
Xproblem that would otherwise be lived with and perhaps someday
Xexploited.<BR>
X<A NAME=TOC_53>
X<H2>
XDrop-Safe Logging With dup-to and to.
X</H2>
X</A><BR>
X<P>
X<P>
XUntil now, we've been using the filter to drop packets.  Instead
Xof dropping them, let's consider passing them on to another system
Xthat can do something useful with this information beyond the
Xlogging we can perform with ipmon.   Our firewall system, be it
Xa bridge or a router, can have as many interfaces as we can cram
Xinto the system.  We can use this information to create a &quot;drop-safe&quot;
Xfor our packets.  A good example of a use for this would be to
Ximplement an intrusion detection network. For starters, it might
Xbe desirable to hide the presence of our intrusion detection systems
Xfrom our real network so that we can keep them from being detected.<BR>
X<P>
X<P>
XBefore we get started, there are some operational characteristics
Xthat we need to make note of.  If we are only going to deal with
Xblocked packets, we can use either the <TT>to</TT> keyword or
Xthe <TT>fastroute</TT> keyword. (We'll cover the differences between
Xthese two later)  If we're going to pass the packets like we normally
Xwould, we need to make a copy of the packet for our drop-safe
Xlog with the <TT>dup-to</TT> keyword.<BR>
X<A NAME=TOC_54>
X<H2>
XThe dup-to Method
X</H2>
X</A><BR>
X<P>
X<P>
XIf, for example, we wanted to send a copy of everything going
Xout the <TT>xl3</TT> interface off to our drop-safe network on
X<TT>ed0</TT>, we would use this rule in our filter list:<BR>
X<TT>     pass out on xl3 dup-to ed0 from any to any<BR>
X</TT>You might also have a need to send the packet directly to
Xa specific IP address on your drop-safe network instead of just
Xmaking a copy of the packet out there and hoping for the best.
XTo do this, we modify our rule slightly:<BR>
X<TT>     pass out on xl3 dup-to ed0:192.168.254.2 from any to any<BR>
X</TT>But be warned that this method will alter the copied packet's
Xdestination address, and may thus destroy the usefulness of the
Xlog.  For this reason, we recommend only using the known address
Xmethod of logging when you can be certain that the address that
Xyou're logging to corresponds in some way to what you're logging
Xfor (e.g.: don't use &quot;192.168.254.2&quot; for logging for
Xboth your web server and your mail server, since you'll have a
Xhard time later trying to figure out which system was the target
Xof a specific set of packets.)<BR>
X<P>
X<P>
XThis technique can be used quite effectively if you treat an <I>IP
XAddress</I> on your drop-safe network in much the same way that
Xyou would treat a <I>Multicast Group</I> on the real internet.
X(e.g.: &quot;192.168.254.2&quot; could be the channel for your
Xhttp traffic analysis system, &quot;23.23.23.23&quot; could be
Xyour channel for telnet sessions, and so on.)    You don't even
Xneed to actually have this address set as an address or alias
Xon any of your analysis systems.  Normally, your ipfilter machine
Xwould need to ARP for the new destination address (using <TT>dup-to
Xed0:192.168.254.2</TT> style, of course) but we can avoid that
Xissue by creating a static arp entry for this <I>&quot;channel&quot;</I>
Xon our ipfilter system.<BR>
X<P>
X<P>
XIn general, though, <TT>dup-to ed0</TT> is all that is required
Xto get a new copy of the packet over to our drop-safe network
Xfor logging and examination.<BR>
X<A NAME=TOC_55>
X<H2>
XThe to Method
X</H2>
X</A><BR>
X<P>
X<P>
XThe <TT>dup-to</TT> method does have an immediate drawback, though.
XSince it has to make a copy of the packet and optionally modify
Xit for its new destination, it's going to take a while to complete
Xall this work and be ready to deal with the next packet coming
Xin to the ipfilter system.<BR>
X<P>
X<P>
XIf we don't care about passing the packet to its normal destination
Xand we were going to block it anyway, we can just use the <TT>to</TT>
Xkeyword to push this packet past the normal routing table and
Xforce it to go out a different interface than it would normally
Xgo out.<BR>
X<TT>     block in quick on xl0 to ed0 proto tcp from any to any port &lt; 1024<BR>
X</TT>we use <TT>block quick</TT> for <TT>to</TT> interface routing,
Xbecause like <TT>fastroute</TT>, the <TT>to</TT> interface code
Xwill generate two packet paths through ipfilter when used with
X<TT>pass</TT>, and likely cause your system to panic.<BR>
X<A NAME=TOC_56>
X<H2>
XBogus Network Filtering, the ultimate in current anti-spoofing
Xtechnology.
X</H2>
X</A><BR>
X<P>
X<P>
XWe've spent a little bit of time tracking down the current vast
Xtracts of IP address space that have been reserved by the IANA
Xfor various reasons, or are otherwise not currently in use at
Xthe time this document was written.   Since none of these address
Xranges should be in use currently, there should be no legitimate
Xreason to ever see them as a source address, or to send them traffic
Xas a destination address, right?   Right!<BR>
X<P>
X<P>
XSo without further ado, the complete list of bogus networks:<BR>
X<TT>     #<BR>
X     # s/OUTSIDE/outside-interface (eg: fxp0)<BR>
X     # s/MYNET/network-cidr-address (eg: 1.2.3.0/24)<BR>
X     #<BR>
X     block in on OUTSIDE all<BR>
X     block in quick on OUTSIDE from 0.0.0.0/7 to any<BR>
X     block in quick on OUTSIDE from 2.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 5.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 10.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 23.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 27.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 31.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 69.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 70.0.0.0/7 to any<BR>
X     block in quick on OUTSIDE from 72.0.0.0/5 to any<BR>
X     block in quick on OUTSIDE from 82.0.0.0/7 to any<BR>
X     block in quick on OUTSIDE from 84.0.0.0/6 to any<BR>
X     block in quick on OUTSIDE from 88.0.0.0/5 to any<BR>
X     block in quick on OUTSIDE from 96.0.0.0/3 to any<BR>
X     block in quick on OUTSIDE from 127.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 128.0.0.0/16 to any<BR>
X     block in quick on OUTSIDE from 128.66.0.0/16 to any<BR>
X     block in quick on OUTSIDE from 169.254.0.0/16 to any<BR>
X     block in quick on OUTSIDE from 172.16.0.0/12 to any<BR>
X     block in quick on OUTSIDE from 191.255.0.0/16 to any<BR>
X     block in quick on OUTSIDE from 192.0.0.0/19 to any<BR>
X     block in quick on OUTSIDE from 192.0.48.0/20 to any<BR>
X     block in quick on OUTSIDE from 192.0.64.0/18 to any<BR>
X     block in quick on OUTSIDE from 192.0.128.0/17 to any<BR>
X     block in quick on OUTSIDE from 192.168.0.0/16 to any<BR>
X     block in quick on OUTSIDE from 197.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 201.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 204.152.64.0/23 to any<BR>
X     block in quick on OUTSIDE from 219.0.0.0/8 to any<BR>
X     block in quick on OUTSIDE from 220.0.0.0/6 to any<BR>
X     block in quick on OUTSIDE from 224.0.0.0/3 to any<BR>
X     block in quick on OUTSIDE from MYNET to any<BR>
X     # Your pass rules come here...<BR>
X     block out on OUTSIDE all<BR>
X     block out quick on OUTSIDE from !MYNET to any<BR>
X     block out quick on OUTSIDE from MYNET to 0.0.0.0/7<BR>
X     block out quick on OUTSIDE from MYNET to 2.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 5.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 10.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 23.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 27.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 31.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 69.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 70.0.0.0/7<BR>
X     block out quick on OUTSIDE from MYNET to 72.0.0.0/5<BR>
X     block out quick on OUTSIDE from MYNET to 82.0.0.0/7<BR>
X     block out quick on OUTSIDE from MYNET to 84.0.0.0/6<BR>
X     block out quick on OUTSIDE from MYNET to 88.0.0.0/5<BR>
X     block out quick on OUTSIDE from MYNET to 96.0.0.0/3<BR>
X     block out quick on OUTSIDE from MYNET to 127.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 128.0.0.0/16<BR>
X     block out quick on OUTSIDE from MYNET to 128.66.0.0/16<BR>
X     block out quick on OUTSIDE from MYNET to 169.254.0.0/16<BR>
X     block out quick on OUTSIDE from MYNET to 172.16.0.0/12<BR>
X     block out quick on OUTSIDE from MYNET to 191.255.0.0/16<BR>
X     block out quick on OUTSIDE from MYNET to 192.0.0.0/19<BR>
X     block out quick on OUTSIDE from MYNET to 192.0.48.0/20<BR>
X     block out quick on OUTSIDE from MYNET to 192.0.64.0/18<BR>
X     block out quick on OUTSIDE from MYNET to 192.0.128.0/17<BR>
X     block out quick on OUTSIDE from MYNET to 192.168.0.0/16<BR>
X     block out quick on OUTSIDE from MYNET to 197.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 201.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 204.152.64.0/23<BR>
X     block out quick on OUTSIDE from MYNET to 219.0.0.0/8<BR>
X     block out quick on OUTSIDE from MYNET to 220.0.0.0/6<BR>
X     block out quick on OUTSIDE from MYNET to 224.0.0.0/3<BR>
X     # Your pass rules come here...<BR>
X</TT>If you're going to use these, we suggest that you become
Xfamiliar with whois.arin.net and keep an occasional eye on these,
Xas the IANA isn't going to notify you when they allocate one of
Xthese to a new corporation or something.  You have been warned.<BR>
X<P>
X<P>
X<P>
X<P>
X<!-- Stop Mirror Here -->
X</BODY>
X</HTML>
END-of-bitlbee/ipf-howto.html
echo c - bitlbee/files
mkdir -p bitlbee/files > /dev/null 2>&1
echo x - bitlbee/files/patch-ab
sed 's/^X//' >bitlbee/files/patch-ab << 'END-of-bitlbee/files/patch-ab'
X*** bitlbee.h.orig	Tue Jun 24 19:55:19 2003
X--- bitlbee.h	Tue Jul 22 16:18:52 2003
X***************
X*** 67,72 ****
X--- 67,83 ----
X  #include "commands.h"
X  #include "account.h"
X  
X+ typedef struct settings
X+ {
X+ 	char *interface;
X+ 	signed int port;
X+ 	int nofork;
X+ 	int verbose;
X+ 	int listen_socket;
X+ 	int mode;
X+ } settings_t;
X+ 
X+ 
X  int root_command_string( irc_t *irc, user_t *u, char *command );
X  int root_command( irc_t *irc, char *command[] );
X  int bitlbee_init( irc_t *irc );
X***************
X*** 74,80 ****
X--- 85,93 ----
X  int bitlbee_save( irc_t *irc );
X  void http_encode( char *s );
X  void http_decode( char *s );
X+ settings_t *set_load( int argc, char *argv[] );
X  
X  extern irc_t *IRC;
X+ extern GList *connection_list;
X  
X  #endif
END-of-bitlbee/files/patch-ab
echo x - bitlbee/files/patch-a
sed 's/^X//' >bitlbee/files/patch-a << 'END-of-bitlbee/files/patch-a'
X*** bitlbee.c.orig	Mon Apr 28 19:18:54 2003
X--- bitlbee.c	Tue Jul 22 16:18:52 2003
X***************
X*** 32,47 ****
X  #include <signal.h>
X  
X  irc_t *IRC;	/* :-( */
X  
X  static void sighandler( int signal );
X  
X  int main( int argc, char *argv[] )
X  {
X- 	irc_t *irc;
X- 	struct timeval tv[1];
X- 	fd_set fds[1];
X  	int i;
X! 	
X  	if( 1 )
X  	{
X  		/* Catch some signals to tell the user what's happening before quitting */
X--- 32,68 ----
X  #include <signal.h>
X  
X  irc_t *IRC;	/* :-( */
X+ GList *connection_list = NULL;
X+ settings_t *set;
X  
X  static void sighandler( int signal );
X+ static int bitlbee_daemon_main_loop( void );
X+ static int bitlbee_inetd_main_loop( void );
X+ static int bitlbee_daemon_init( void );
X+ static int bitlbee_inetd_init( void );
X  
X  int main( int argc, char *argv[] )
X  {
X  	int i;
X! 
X!         if( !( set = set_load( argc, argv ) ) )
X!                 return( 1 );
X! 		
X! 	if( set->mode == 1 ) 
X! 	{
X! 		i=bitlbee_inetd_init( );
X! 		if( i!=0 ) 
X! 			return( i );
X! 	}
X! 	else if( set->mode == 2 )
X! 	{
X! 		i = bitlbee_daemon_init( );
X! 		if( i!=0 )
X! 			return( i );
X! 	}
X! 
X! 	nogaim_init();
X! 
X  	if( 1 )
X  	{
X  		/* Catch some signals to tell the user what's happening before quitting */
X***************
X*** 57,85 ****
X  		sigaction( SIGTERM, &sig, &old );
X  	}
X  	
X- 	if( !( IRC = irc = irc_new( 0 ) ) )
X- 		return( 1 );
X- 	
X- 	nogaim_init();
X- 	set_add( irc, "save_on_quit", "true", set_eval_bool );
X- 	
X  	while( 1 )
X  	{
X! 		FD_ZERO( fds );
X! 		FD_SET( irc->fd, fds );
X! 		tv->tv_sec = 0;
X! 		tv->tv_usec = 200000;
X! 		if( ( i = select( irc->fd + 1, fds, NULL, NULL, tv ) ) > 0 )
X  		{
X! 			if( !irc_process( irc ) ) break;
X  		}
X- 		else if( i == -1 ) break;
X- 		g_main_iteration( FALSE );
X  	}
X  	
X! 	if( irc->status && set_getint( irc, "save_on_quit" ) )
X! 		if( !bitlbee_save( irc ) )
X! 			irc_usermsg( irc, "Error while saving settings!" );
X  	
X  	return( 0 );
X  }
X--- 78,254 ----
X  		sigaction( SIGTERM, &sig, &old );
X  	}
X  	
X  	while( 1 )
X  	{
X! 		if( set->mode == 1 ) {
X! 			i = bitlbee_inetd_main_loop();
X! 			if( i!=0 )
X! 				break;
X! 		}
X! 		else if( set->mode == 2 )
X  		{
X! 			i = bitlbee_daemon_main_loop();
X! 			if( i!=0 )
X! 				break;
X  		}
X  	}
X+ 
X+ 	return( 0 );
X+ }
X+ 
X+ static int bitlbee_daemon_init(void) {
X+ 	struct sockaddr_in listen_addr;
X+ 	int i, listen_socket;
X+ 	
X+ 	listen_socket=socket( AF_INET, SOCK_STREAM, 0 );
X+ 	if( listen_socket == -1 ) {  
X+ 		perror("socket");
X+ 		return 1; 
X+ 	}
X+ 	listen_addr.sin_family = AF_INET;         
X+ 	listen_addr.sin_port = htons( set->port );     
X+ 	listen_addr.sin_addr.s_addr = inet_addr( set->interface );
X+ 	i=bind( listen_socket, ( struct sockaddr * )&listen_addr, 
X+ 	       sizeof( struct sockaddr ) );
X+ 	if( i == -1 ) {
X+ 		perror( "bind" );
X+ 		return 1;
X+ 	}
X+ 	i=listen( listen_socket, 10 );
X+ 	if( i == -1 ) {
X+ 		perror( "listen" );
X+ 		return 1;
X+ 	}
X+ 	if( set->verbose && set->nofork )
X+ 		printf( "Listening on port: %d, interface: %s\n", set->port, set->interface );
X+ 	set->listen_socket = listen_socket;
X+ 
X+ 	if( !set->nofork ) 	
X+ 	{
X+ 		i = fork();
X+ 		if( i == -1 ) {
X+ 			perror( "fork" );
X+ 			exit( 1 );
X+ 		}
X+ 		else if( i!=0 ) 
X+ 			exit( 0 );
X+ 	}
X+ 	return( 0 );
X+ }
X+ 
X+ static int bitlbee_inetd_init( void ) {
X+ 
X+ 	if( !( IRC = irc_new( 0 ) ) )
X+ 		return( 1 );
X+ 
X+ 	connection_list = g_list_append( connection_list, IRC );
X+ 
X+ 	return( 0 );
X+ }
X+ 
X+ static int bitlbee_daemon_main_loop( void ) {
X+ 	GList *temp;
X+ 	irc_t *new_connection;
X+ 	fd_set fds[1];
X+ 	struct timeval tv;
X+ 	int i, highest, size, new_socket;
X+ 	struct sockaddr_in conn_info;
X+ 
X+ 	FD_ZERO( fds );
X+ 	FD_SET( set->listen_socket, fds );		
X+ 	temp = connection_list;
X+ 	highest = set->listen_socket;
X+ 	
X+ 	while( temp != NULL ) 
X+ 	{
X+ 		FD_SET( ( ( irc_t * )( temp->data ) )->fd, fds );
X+ 		if( ( (irc_t * )( temp->data ) )->fd > highest )
X+ 			highest = ( ( irc_t * )( temp->data ) )->fd;		
X+ 		temp = temp->next;
X+ 	} 
X+ 	tv.tv_sec = 0;
X+ 	tv.tv_usec = 200000;
X+ 	if( ( i = select( highest + 1, fds, NULL, NULL, &tv ) ) > 0 )
X+ 	{
X+ 		if( FD_ISSET( set->listen_socket, fds ) ) 
X+ 		{
X+ 			size = sizeof( struct sockaddr_in );
X+ 			new_socket = accept( set->listen_socket, ( struct sockaddr * )&conn_info, 
X+ 					     &size );
X+ 			new_connection = irc_new( new_socket );
X+ 			if( !new_connection )
X+ 				return 1;
X+ 			if( set->verbose && set->nofork )
X+ 				puts("Adding new connection");
X+ 
X+ 			connection_list = g_list_append( connection_list, new_connection );
X+ 		}
X+ 		temp = connection_list;
X+ 		while( temp != NULL ) 
X+ 		{
X+ 			if( FD_ISSET( ( ( irc_t *)( temp->data ) )->fd, fds ) )
X+ 			{
X+ 				IRC = temp->data;
X+ 				if( !irc_process( IRC ) )
X+ 				{
X+ 					if( set->verbose && set->nofork )
X+ 						puts("Destroying connection");
X+ 					if( ( (irc_t * )( temp->data ) )->status && set_getint( (irc_t *)( temp->data ), "save_on_quit" ) ) 
X+ 						if( !bitlbee_save( temp->data ) )
X+ 							irc_usermsg( temp->data, "Error while saving settings!" );
X+ 					
X+ 					/* [MD] FIXME: fix memory leak/possible illegal free()
X+ 					 *      Wilmer, can you make an irc_free()?
X+ 					 */
X+ 
X+ 					free( temp->data );
X+ 					if( ( temp->next == NULL ) && ( temp->prev == NULL ) )
X+ 					{
X+ 						g_list_free_1( temp );
X+ 						connection_list = NULL;
X+ 						
X+ 					}
X+ 					else
X+ 					{
X+ 						connection_list = g_list_remove_link ( connection_list, temp );
X+ 						g_list_free_1( temp );
X+ 					}
X+ 				}			
X+ 			}
X+ 			temp = temp->next;
X+ 		}
X+ 	} 
X+ 	else if( i == -1 )  
X+ 		return -1;
X+ 	g_main_iteration( FALSE );
X  	
X! 	return 0;	
X! }
X! 
X! static int bitlbee_inetd_main_loop( void ) {
X! 	struct timeval tv[1];
X! 	fd_set fds[1];
X! 	int i;
X! 	GList *temp;
X! 
X! 	FD_ZERO( fds );
X! 	FD_SET( IRC->fd, fds );
X! 	tv->tv_sec = 0;
X! 	tv->tv_usec = 200000;
X! 	temp = connection_list;
X! 	
X! 	if( ( i = select( ( ( irc_t * )( temp->data ) )->fd + 1, fds, NULL, NULL, tv ) ) > 0 )
X! 	{
X! 		if( !irc_process( ( (irc_t * )( temp->data ) ) ) )
X! 		{ 
X! 			if( ( ( irc_t * )( temp->data ) )->status && set_getint( ( (irc_t * )( temp->data ) ), "save_on_quit" ) ) 
X! 				if( !bitlbee_save( ( (irc_t * )( temp->data ) ) ) )
X! 					irc_usermsg( ( (irc_t * )( temp->data ) ), "Error while saving settings!" );
X! 			return 1;
X! 		}
X! 	}
X! 	else if( i == -1 ) return( -1 );
X! 	g_main_iteration( FALSE );
X  	
X  	return( 0 );
X  }
X***************
X*** 359,377 ****
X  	free( t );
X  }
X  
X  static void sighandler( int signal )
X  {
X  	if( signal == SIGPIPE )
X  	{
X  		/* SIGPIPE is ignored by Gaim. Looks like we have to do
X  		   the same, because it causes some nasty hangs. */
X! 		if( set_getint( IRC, "debug" ) )
X! 			irc_usermsg( IRC, "Warning: Caught SIGPIPE, but we probably have to ignore this and pretend nothing happened..." );
X  		return;
X  	}
X  	else
X  	{
X! 		irc_write( IRC, "ERROR :Fatal signal received: %d. That's probably a bug.. :-/", signal );
X  		exit( 1 );
X  	}
X  }
X--- 528,604 ----
X  	free( t );
X  }
X  
X+ /* [MD] FIXME: SIGPIPE makes bitlbee crash for some reason */ 
X  static void sighandler( int signal )
X  {
X  	if( signal == SIGPIPE )
X  	{
X  		/* SIGPIPE is ignored by Gaim. Looks like we have to do
X  		   the same, because it causes some nasty hangs. */
X! 		if( set_getint( NULL, "debug" ) )
X! 			irc_write_all( "ERROR :Caught SIGPIPE, but we probably have to ignore this and pretend nothing happened..." );
X  		return;
X  	}
X  	else
X  	{
X! 		irc_write_all( "ERROR :Fatal signal received: %d. That's probably a bug.. :-/", signal );
X  		exit( 1 );
X  	}
X+ }
X+ 
X+ settings_t *set_load( int argc, char *argv[] )
X+ {
X+ 	settings_t *set;
X+ 	int opt, i;
X+ 	
X+ 	set = malloc( sizeof( settings_t ) );
X+ 	if( set==NULL ) { perror( "malloc" ); exit( 1 ); }
X+ 	memset( set, 0, sizeof( settings_t ) );
X+ 
X+ 	set->interface = "0.0.0.0";
X+ 	set->port = 6667;
X+ 	set->nofork = 0;
X+ 	set->verbose = 0;
X+ 	set->mode=1;
X+ 	
X+ 	while( ( opt = getopt( argc, argv, "i:p:hvncd" ) ) >= 0 )
X+ 	{
X+ 		if( opt == 'i' )
X+ 		{
X+ 			set->interface = strdup( optarg );
X+ 		}
X+ 		else if( opt == 'p' )
X+ 		{
X+ 			if( ( sscanf( optarg, "%d", &i ) != 1 ) || ( i <= 0 ) || ( i > 65535 ) )
X+ 			{
X+ 				fprintf( stderr, "Invalid port number: %s\n", optarg );
X+ 				return( NULL );
X+ 			}
X+ 			set->port = i;
X+ 		}
X+ 		else if( opt == 'n' )
X+ 			set->nofork=1;
X+ 		else if( opt == 'v' )
X+ 			set->verbose=1;
X+ 		else if( opt == 'c' )
X+ 			set->mode=1;
X+ 		else if( opt == 'd' )
X+ 			set->mode=2;
X+ 		else if( opt == 'h' )
X+ 		{
X+ 			printf( "Usage: bitlbee [-d [-i <interface>] [-p <port>] [-n] [-v]] [-c] \n"
X+ 			        "An IRC-to-other-chat-networks gateway\n"
X+ 			        "\n"
X+ 				"  -c  Classic mode(default). Reads from stdin, writes to stdout. Ignores all other options.\n"
X+ 				"  -d  Daemon mode(EXPERIMENTAL). Will fork into background and accept connections.\n"
X+ 			        "  -i  Specify the interface (by IP address) to listen on.\n"
X+ 			        "      (Default: 0.0.0.0 (any interface))\n"
X+ 			        "  -p  Port number to listen on. (Default: 6667)\n"
X+ 			        "  -n  Don't fork.\n"
X+ 				"  -v  Be verbose (only works in combination with -n)\n"
X+ 				"  -h  Show this help page.\n");
X+ 			return( NULL );
X+ 		}
X+ 	}
X+ 	return( set );
X  }
END-of-bitlbee/files/patch-a
echo x - bitlbee/files/patch-ac
sed 's/^X//' >bitlbee/files/patch-ac << 'END-of-bitlbee/files/patch-ac'
X*** irc.c.orig	Tue Jun 10 23:21:14 2003
X--- irc.c	Tue Jul 22 16:18:52 2003
X***************
X*** 52,62 ****
X  		if( ( peer = gethostbyaddr( (char*) &sock->sin_addr, sizeof(sock->sin_addr), AF_INET ) ) )
X  			irc->host = strdup( peer->h_name );
X  #ifndef NO_TCPD
X! 		i = hosts_ctl( "bitlbee", irc->host?irc->host:STRING_UNKNOWN, inet_ntoa( sock->sin_addr ), STRING_UNKNOWN );
X  	}
X  	else
X  	{
X! 		i = 0;
X  #endif
X  	}
X  	
X--- 52,64 ----
X  		if( ( peer = gethostbyaddr( (char*) &sock->sin_addr, sizeof(sock->sin_addr), AF_INET ) ) )
X  			irc->host = strdup( peer->h_name );
X  #ifndef NO_TCPD
X! 		if( set->mode == 1)
X! 			i = hosts_ctl( "bitlbee", irc->host?irc->host:STRING_UNKNOWN, inet_ntoa( sock->sin_addr ), STRING_UNKNOWN );
X  	}
X  	else
X  	{
X! 		if( set->mode == 1)
X! 			i = 0;
X  #endif
X  	}
X  	
X***************
X*** 73,78 ****
X--- 75,86 ----
X  		return( NULL );
X  	}
X  #endif
X+ 
X+ 	/* [MD] FIXME: now that bitlbee has a global set
X+ 	 * (use NULL as irc_t * parameter) some of these
X+ 	 * need to be set as  global... Can someone who knows
X+ 	 * which ones should be global do this?
X+ 	 */
X  	
X  	set_add( irc, "private", "false", set_eval_bool );
X  #ifdef DEBUG
X***************
X*** 82,88 ****
X  #endif
X  	set_add( irc, "to_char", ": ", set_eval_to_char );
X  	set_add( irc, "ops", "both", set_eval_ops );
X! 	
X  	irc_write( irc, ":%s NOTICE AUTH :%s", irc->myhost, "BitlBee-IRCd initialized, please go on" );
X  	
X  	return( irc );
X--- 90,102 ----
X  #endif
X  	set_add( irc, "to_char", ": ", set_eval_to_char );
X  	set_add( irc, "ops", "both", set_eval_ops );
X! 	set_add( irc, "save_on_quit", "1", set_eval_bool );
X! 	set_add( irc, "html", "nostrip", NULL );
X! 	set_add( irc, "typing_notice", "false", set_eval_bool );
X!         set_add( irc, "away_devoice", "true",  set_eval_away_devoice );
X!         set_add( irc, "charset", "none", NULL );  
X! 	set_add( irc, "handle_unknown", "root", NULL );
X! 
X  	irc_write( irc, ":%s NOTICE AUTH :%s", irc->myhost, "BitlBee-IRCd initialized, please go on" );
X  	
X  	return( irc );
X***************
X*** 480,494 ****
X  	return( irc_msgfrom( irc, u->nick, text ) );
X  }
X  
X! int irc_write( irc_t *irc, char *format, ... )
X  {
X- 	char line[IRC_MAX_LINE];
X  	va_list params;
X  	int n, start = 0;
X  	
X- 	va_start( params, format );
X  	vsnprintf( line, IRC_MAX_LINE - 3, format, params );
X- 	va_end( params );
X  	strcat( line, "\r\n" );
X  	
X  	while( line[start] )
X--- 494,517 ----
X  	return( irc_msgfrom( irc, u->nick, text ) );
X  }
X  
X! int irc_write( irc_t *irc, char *format, ... ) 
X  {
X  	va_list params;
X+ 	int i;
X+ 
X+ 	va_start( params, format );
X+ 	i = irc_vawrite( irc, format, params );	
X+ 	va_end( params );
X+ 
X+ 	return i;
X+ 
X+ }
X+ int irc_vawrite( irc_t *irc, char *format, va_list params )
X+ {
X+ 	char line[IRC_MAX_LINE];
X  	int n, start = 0;
X  	
X  	vsnprintf( line, IRC_MAX_LINE - 3, format, params );
X  	strcat( line, "\r\n" );
X  	
X  	while( line[start] )
X***************
X*** 505,510 ****
X--- 528,550 ----
X  	
X  	return( 1 );
X  }
X+ 
X+ void irc_write_all( char *format, ... )
X+ {
X+ 	va_list params;
X+ 	GList *temp;	
X+ 
X+ 	va_start( params, format );
X+ 
X+ 	temp = connection_list;
X+ 	while( temp!=NULL ) {
X+ 		irc_vawrite( temp->data, format, params );
X+ 		temp = temp->next;
X+ 	}
X+ 
X+ 	va_end( params );
X+ 	return;
X+ } 
X  
X  void irc_names( irc_t *irc, char *channel )
X  {
END-of-bitlbee/files/patch-ac
echo x - bitlbee/files/patch-ad
sed 's/^X//' >bitlbee/files/patch-ad << 'END-of-bitlbee/files/patch-ad'
X*** irc.h.orig	Sat May  3 13:40:37 2003
X--- irc.h	Tue Jul 22 16:18:52 2003
X***************
X*** 95,101 ****
X--- 95,103 ----
X  int irc_process( irc_t *irc );
X  int irc_process_string( irc_t *irc, char *line, int bytes );
X  
X+ int irc_vawrite( irc_t *irc, char *format, va_list params );
X  int irc_write( irc_t *irc, char *format, ... );
X+ void irc_write_all( char *format, ... );
X  int irc_reply( irc_t *irc, int code, char *format, ... );
X  int irc_usermsg( irc_t *irc, char *format, ... );
X  
END-of-bitlbee/files/patch-ad
echo x - bitlbee/files/patch-ae
sed 's/^X//' >bitlbee/files/patch-ae << 'END-of-bitlbee/files/patch-ae'
X*** set.c.orig	Mon Apr 28 19:18:55 2003
X--- set.c	Tue Jul 22 16:19:27 2003
X***************
X*** 25,34 ****
X--- 25,51 ----
X  
X  #include "bitlbee.h"
X  
X+ set_t *global_set=NULL;
X+ 
X  set_t *set_add( irc_t *irc, char *key, char *def, void *eval )
X  {
X  	set_t *s = set_find( irc, key );
X  	
X+ 	if( !s && !irc )
X+ 	{
X+ 		if( ( s = global_set ) )
X+ 		{
X+ 			while( s->next ) s = s->next;
X+ 			s->next = malloc( sizeof( set_t ) );
X+ 			s = s->next;
X+ 		} 
X+ 		else
X+ 		{
X+ 			s = global_set = malloc( sizeof( set_t ) );
X+ 		}
X+ 		memset( s, 0, sizeof( set_t ) );
X+ 		s->key = strdup( key );
X+ 	}
X  	if( !s )
X  	{
X  		if( ( s = irc->set ) )
X***************
X*** 64,70 ****
X  
X  set_t *set_find( irc_t *irc, char *key )
X  {
X! 	set_t *s = irc->set;
X  	
X  	while( s )
X  	{
X--- 81,92 ----
X  
X  set_t *set_find( irc_t *irc, char *key )
X  {
X! 	set_t *s;
X! 
X! 	if( !irc )
X! 		s = global_set;
X! 	else
X! 		s = irc->set;
X  	
X  	while( s )
X  	{
X***************
X*** 139,151 ****
X  
X  void set_del( irc_t *irc, char *key )
X  {
X! 	set_t *s = irc->set, *t = NULL;
X  	
X  	while( s )
X  	{
X  		if( strcasecmp( s->key, key ) == 0 )
X  			break;
X! 		s = (t=s)->next;
X  	}
X  	if( s )
X  	{
X--- 161,178 ----
X  
X  void set_del( irc_t *irc, char *key )
X  {
X! 	set_t *s, *t = NULL;
X! 
X! 	if( !irc )
X! 		s = global_set;
X! 	else	
X! 		s = irc->set;
X  	
X  	while( s )
X  	{
X  		if( strcasecmp( s->key, key ) == 0 )
X  			break;
X! 		s = ( t = s )->next;
X  	}
X  	if( s )
X  	{
END-of-bitlbee/files/patch-ae
echo x - bitlbee/files/patch-af
sed 's/^X//' >bitlbee/files/patch-af << 'END-of-bitlbee/files/patch-af'
X*** protocols/nogaim.c.orig	Sun Jun 15 00:33:22 2003
X--- protocols/nogaim.c	Tue Jul 22 16:19:09 2003
X***************
X*** 50,57 ****
X  };
X  static char *proto_away_alias_find( GList *gcm, char *away );
X  
X- static char *set_eval_away_devoice( irc_t *irc, set_t *set, char *value );
X- 
X  static int remove_chat_buddy_silent( struct conversation *b, char *handle );
X  
X  GSList *connections;
X--- 50,55 ----
X***************
X*** 76,87 ****
X  	proto_prpl[PROTO_JABBER] = malloc( sizeof( struct prpl ) );
X  	memset( proto_prpl[PROTO_JABBER], 0, sizeof( struct prpl ) );
X  	jabber_init( proto_prpl[PROTO_JABBER] );
X- 	
X- 	set_add( IRC, "html", "nostrip", NULL );
X- 	set_add( IRC, "typing_notice", "false", set_eval_bool );
X- 	set_add( IRC, "away_devoice", "true", set_eval_away_devoice );
X- 	set_add( IRC, "charset", "none", NULL );
X- 	set_add( IRC, "handle_unknown", "root", NULL );
X  }
X  
X  struct gaim_connection *gc_nr( int i )
X--- 74,79 ----
X***************
X*** 785,791 ****
X  	return( NULL );
X  }
X  
X! static char *set_eval_away_devoice( irc_t *irc, set_t *set, char *value )
X  {
X  	int st;
X  	
X--- 777,783 ----
X  	return( NULL );
X  }
X  
X! char *set_eval_away_devoice( irc_t *irc, set_t *set, char *value )
X  {
X  	int st;
X  	
END-of-bitlbee/files/patch-af
echo x - bitlbee/files/patch-ag
sed 's/^X//' >bitlbee/files/patch-ag << 'END-of-bitlbee/files/patch-ag'
X*** protocols/nogaim.h.orig	Mon May  5 02:48:40 2003
X--- protocols/nogaim.h	Tue Jul 22 16:19:27 2003
X***************
X*** 258,263 ****
X--- 258,264 ----
X  void nogaim_init();
X  struct gaim_connection *gc_nr( int i );
X  int proto_away( struct gaim_connection *gc, char *away );
X+ char *set_eval_away_devoice( irc_t *irc, set_t *set, char *value );
X  
X  /* multi.c */
X  struct gaim_connection *new_gaim_conn( struct aim_user *user );
END-of-bitlbee/files/patch-ag
echo x - bitlbee/files/patch-ah
sed 's/^X//' >bitlbee/files/patch-ah << 'END-of-bitlbee/files/patch-ah'
X*** configure	Tue Jul 22 22:13:39 2003
X--- configure.moje	Tue Jul 22 22:14:21 2003
X***************
X*** 7,13 ****
X  ##  Copyright 2002 Lucumo   ##
X  ##############################
X  
X! prefix='/usr/local/'
X  bindir='$prefix/sbin/'
X  etcdir='$prefix/etc/'
X  mandir='$prefix/share/man/'
X--- 7,13 ----
X  ##  Copyright 2002 Lucumo   ##
X  ##############################
X  
X! prefix=${PREFIX}
X  bindir='$prefix/sbin/'
X  etcdir='$prefix/etc/'
X  mandir='$prefix/share/man/'
END-of-bitlbee/files/patch-ah
echo x - bitlbee/tcp_filtering.pdf
sed 's/^X//' >bitlbee/tcp_filtering.pdf << 'END-of-bitlbee/tcp_filtering.pdf'
X%PDF-1.2
X%Çì¢
X4 0 obj
X<</Length 5 0 R/Filter /FlateDecode>>
Xstream
Xxœ•\koìFrý~Å|ôW4ûÍ‚ Þ‡ƒ‹ ë—€E¡f(‰{g†29#Yùõ©&»«ªÉ%¶áõõŠ"›ÕU§Nªf]‰]þŽÿÞŸ>ýöé'øçŸÂžà—õîøÉx£²?‡?<:úm'æ;¤íO»?ßúög»“zwÿø©®êZÚZ»»ßZ#vBªÊ¹sµ”ÜÝŸ¾ù¹k»_.í¥{¼w÷ùq÷c»ÿÚ]vß÷ÇK7öç§]þÓý?Ã
EmiæûiWy»»Sºòp›Ã7_~Œ¿.ýög·ó*îæe)k~íÎ¸ª¿'MU‡•¾ùkv¯íy÷ó0ôÿÜýëSø?þýéu¬†ñéß>ÇG×Ê§—GWFëÝ0•
¯zøæ‡±êÏ»/÷Ÿw?V?T~ßIÑÌ¿9?ß˜FÙùwït]Ù†ÿ®±u½û¯¿îþÖŸÏÃkwþ¼»îvï.ÏÝxlÏ‡iy!»
½ÔÂÍv½µšïöhšpÃï¦ËØî/h‡M[c¤¿Vƒ`ïm´\2¯Ò:l
X¼£¬,ìüt1*^a”Vá°ŸÍrI?¥×ìT›ùðŸñç`Z4…óÞ	Ñˆø^:v–®©ç]–°»^®ùe¸ŽûŸÔÔµmf›*Q‰:^ô²¸NºÈX!õr'_¹\óˆ~…Ol`oåü^
X6&Þ«;ß¥û[›dïFT“°…"Ú¶¾#Úà^áuåÓ/ÏíecAÑTÊ®
8ÿ¾NöC¾¶ý±}8v¸b!¼_ì¬Â‹ÅëÜ(pøZÇH©|2OK7Û,?w•sqçëé!îõlï½2‹YTål|ÊðHWHáe|QßwxéÆö’,¼D€UÞ-4<µaœÞ§Kwš>Óm•€Ï«X)ùÙy¼øm5BÍoqÕx›<åØŽÑ¦‹CÓÙù2UWé*-ºOã^pÊU&=ïû±ëþüË_i]Â¯æË´œQ=E
Xåeôë+Wkö¢p³]x,7ü±¢õñ¸\üâV\zâò²È¬M®Ùu¤tzËýpêXxB\™h•ÖÿÖ_žñ
X«ÁÿæGIY™ä Óp·oÇ-&@êÆðSBñBêJ:YRÉÅøh²¦ÒÜ50V«¢WºJGÏþrÆ¥Õ`C¨IH
Xkr&Frü};u¥_åNn‘e]~ÈZŸ·Ï‡T§7Ï—5læúù³áÐ ð€ÄDº3Í#Þ‘°-éy¸°÷0Þ.÷) Öp>¾ÓHU;×,’côçé¥Û_¦í›á±›w«•±ÒûG	G_ÆnêÎû¢Á{¢š
¬ÔD‡OþþÝ_þ“œÝIiåÚÙí‡zŽt¶¸FÉÆ©h! $pÍb¡Àß‡á+¾½ÔÁ¢1÷©äw-³·„¼Õ4Ñ3|ºb¢¼µ#Ø7§Jh$œ1:æˆ:EÍ¡›RV‡sé‘ÿ_†ñ’Á)¹ŠDzäÃcP‚¿-æ`ÎäL={7§d½09_É¦©ErD>-½42ÚRÍI‰¼-7Ã!<ÜEØä(S÷Ûuå(ÚË…t-¼‰e©2¼vº•Egà–ÆºdÑ¥øÎ‡á'æÒ	w¯ÿ¶n£ ‹¥Ø6éšž°§1B¢;5ûû{}@L©£¹q{÷ý”ö6¤ø°ÉK´
$HJITâ/í4#@!Úð®¡ÒMšd™‡ã°ÿJ(P¿ì¬l*G
X(>U…äâgŽ½ ã3c‡FšDœŸÆXÔØµI6‘(*I4v‡ë¾+!’&“iµóàÙÉŠlç×)ÅPÏBÃ‘µ"Ý^B ]Ïýå½@ÌLg¼Œ)j§1LV˜Ní±ß÷Ã•LõŽK˜Êä4·ä—°~ôoæ+Œ—ëJ$JýPÊ9Pš4š|©cQN»øÐÁÀ.£µÇáúô\ØFÝx’ RsÀrÐÍÙŠ§Ô)Zð™VßÔj	Àæ”˜º×®MÀk0åô%Ö *Uoó6ã
†¸pN¨¸ÄÝ$öþöÜ›—P&	Äui° ßÔ	lêJ
XË‰'‹9Ì¼³= O?íØí¾ž‡·sE½^*kNAïÙ¶o7ÂGMIi˜+ßöÈ–å½unMùÞÚ÷R´møÕRšÀO}Ü
XÜJ
X£gÿŽµ–næ8Š[Ö—â‚ñ‘ž—šÈ¼yÊ¾Qã3ó^0ªýÈ"œ\ñ¬—q…Ù
X3²J…_Ñ•™|±jé¼”~Å3a1PEžhã¶kHz‰jòmwŒìbàÔ	ZN-·¢q@Y’teó×O,%ÀCHÄ6–Ñ€Æ›"z½q@HäG§hÙ«’I¸F‹‹dÓt=u‡Ï¥°Ö‚R†uÆŸàF¸©=¡lú’!¶|§`ØäïÁ<ë\KKªï#åÑ„"—±}fÄ¥
Âl«Úbd˜MÔVº¨¿|Þî„ES5>=ùG}"µ+Ô¿Åm¡²—Ë¢ ¼-Ép=’µœ]#"Ló;N˜ù„5©«	H§®+¬ÜU²”®ýƒp«|«,Eé¦X—ÊÊé2LÁB·*Tx+ÌŠ¬€¢wÀV…7l»‹Y“Ô±ã0~"Âä#Êp„%5ËUÉå¬UéÁÁT¥Îv14ôäöƒÖáê´ÏAìCž7^;ÚÀ©Æ.oi#åûëH*\²¨ES.‚ÚzÆîó6¤µ¬RÊ*"i#ý`V»¯Áß31Kø‰s-=|eyb°&a”Ac²,1Ü¬aàAM±†ñá½¢ÜâÌ,r)îtê.cÔž÷Ùº®URl&5®%£O¬2,l›‰À×$õ–\
*þÚ¥ú”
L—+Z]¥º	“EEž}#Û±Bñõdd›±;B½rÖÚD‡eŠ±ëËKÔRÁ_I4Àòãa¸òâKHÊJË]‘*0q¢YW6àc}“gÚ½á7Dº(ÈÒÌü,’™ùP"šuÁî|a‰’XëìZÞòc
XƒBºÇ\ã ¶ê´šs÷´Úô<ž,oz^ÈñÍ‡žGÖ+;žgÍ-Çãíˆ¢ãA9›n‚@©%äÈ®wÞÊNÅøÑÊ©¼¸Ž5{z©_³JT˜¦ñ) °´!üÛótê§ FL¿þ©ÚQv²¬XžÀ
X¿;@*®Ì¯úCó²´µ(žJª%Ù6T‰ÔjÑUîB//P¸œ‹’›òú°5SÆ$°YRSæå%¦Z„AAÅmà¤vh!fLK©°èÿ‚²0Çg:›ÇlÈh¢mÄÒ<àÖyë¤¨S!™ëÔ`lU™¹ÖÏØx¹(§ýX5`•ØC1Ny}~mýŠ¨ŠdúHØÐûîpèã©¦ žKêètc¨	s+èï€ÏÎÍr\ûT!zbm—ö+™‰åÒH[Ð BLœÒ¬W§'|&ý¥‰†Vz;M`SïFžh¶i"CÂ†j÷Â»Àû¹TÈ(^ç&ÅS¤;íT$3T˜ç{4~Šä2í*œK?u§„sn_]œÞxR1åŸ‹=Ì $ó0‚N
X îðñÆkñ®¨›êÞR(€ë–g[ÈcäC}fxLàHþN]KF “QÂ-T¤«ð‹ÿ´\HFƒŒÐ¤myh™Ìt4=¿ÜZGƒÂÛ'Dé<µ	˜%U9z.Íó<wØÍ.ùöÜïŸwÁ÷ær®?ï‡q„Zùÿ'XÃ+¬‡áp³'Ò@Äº§•|ìŽ¢ßaèŠU¯MxÄLÏPí¹}e…*& &Ä@Ð1ÿ”Vy™ú\ôIæ:ægˆ_ˆg×Âì³%5¿$ëú¢0¤\Ýø&®G¦÷†j¿"1ÆúT…bFÛ}hü 	R•ÝVÈÙrb2[¸‚’6ÉŠHýÏÝ+„ =/g ëXL¼„t6‰®r3–X®§Uv™ab œß!¬ÏOÅæ\èq%ÿaÍ9þjÌ7ø«Q§—×†¼ÅKÐ¤i–æØB”DQ6EK¢ëZ˜a-µž=IóI²I$dÝäx¼°¶Ó×é±=yC_³•–(Pe	yezÿ}KT‡QÂ‚"m‚Ô‰žz›/ÉJ»	P1ºÔ„’ë‡$`#ƒØNsˆÕsPùþÁì{æµO4eÐþôrœdQ-‡iH~ÊÄWÞ&ÍÃ•¡&Iü†¨.ˆÃ1mVK+73`ßç=¶åüÍ÷7ÞŸ2-U/×ñ\_–÷
X0VÛÊªRuLqÏ•°i8±ÊaŒ
m`L†<ž\ƒçt.'‚õâ%Ì´3MÌ[
Xi{P'~gB2Û&µIÔh(ê×¯šÕÃxà“E¼ëmèlêë¶bë¡IØKÔj8½´¤¹¶š÷µ#ŒÆ¥%«[Ó˜ÔdÃ|1¯MeèT¦ÇèAO3²j4=©ìÉs7[GÜXke‚íâÎ¬xvJ×K'2˜Näê>ËßÀAu,\à(Ôì+ÆÙb„X+òx¾]+J%7Û"Bõ,"%3úi
}_H@<tCÍ¨9½²7½Žõ”ÔqX:ò€7pÚnÆ<Áþ—ÂKòP¸ñ’\ÚzX%beWáòÔ¿²®,É_°Âs€M“’š„FÏ¼ZÁ …$¦=—r«TM½²Å€	°C¦Ù–YÊ’2Ã2 ó5ÁšÆqð¯Æ„¨l±–f3ØLÛG5lÎ”
r™œ*7FÄ	®}\úq'X¶ŠÌß¹™Èu€ÇÓàöDæ<u_Ú6ªL¾ÃjjôØFk”kÒ}$
MÎ“¦XRž¤lnRr®Ö¿ûÔgqK÷öÄÔòKa‚¢0&SÞKi«†€P’@ƒH¸VØÈ'W þUâN8vìY=‚v-qÔ´!WÈÅŒdAy)±#¿~Æ¯¥HÍ,sGUD–oy*rå[F™
œKdÁ6³ÒÈý,Ð@Ùè‘€²ž[0ŒºñµX[éËù2„x\îšMäS`ÞÅßbsùÙ[ûÍøF®ÈFq«YêxïÚ‘K”»/"ÞlØ]t]A¹G¬îÃ©b~'–œ±Ü%Õ[—°ß…pàÕOZ!%6âF<LÝyê³¦oÄ6D?‡;àÍÑŽ'„P-ø"%É×	JêÊÚ6Kg@9â¨ó…Ú¶ôb*+Ên+§¯ç¢|åõ¼Ö¦^¢g˜Ha³	Œe¢ª‹Ù“¹lþ"„;0ƒÈYv²ml<Ï#LÞJ-/è$ÖV¿ô§ëñÒž»¹ÊˆV&Õ6Ò¯N<‡õÈç}š¥î>ÄÒk¹›S ‰‘Rã=·¬ë¦%ÄžÆá-ãzà°)~H	C>=PCwÎ¾Ò˜%k¹A:ûÐíÛkY,œUhŸIL3ÔàÞ¬ýñqì:V¿ãÁ¥ç“b2;’Ûr•Ì®lT—Õ]†áXhàüìK©‚à3s7kÍf‰I@›¥7@ãô@†k€Ø‹J28v3÷Y2Gd¨ÀÂXâûàÒ*é„OÜtuÆ®ªö›RÔ=öc÷×MÛÐcoW8h½Š‰U¥C÷rÞY«PàØMUçÒ:ïÔ¦)Zx
 MœS“¡5Ä0Í2D7÷¼T|Éö©íÏ¬ÖdÞBØ´ŠÂF¸í$â„}Ç†ôV-P}üá\ŒNÛnðP©VD4=„f¬·Ó£ÙØHæ|b+×4¡7“„
XÄ]$Ñó4²Ç†äHYY`~
X;J•Ü„ä(¼ª 6	Q‹úeÍàgànë¶‹=%	/GÂ9bÓ¦ß%.vðÑ!(-téLD$q–h™Äˆ1áÙO‡Zj Lr.yïç£2ß~ùñC*Hÿ2Ô÷ÞPóå6ÞXUc˜³ÔÓÄ¤r=ÃM€%–f´£ë2W„×±x ™éÇáxÞ²Ó…ì¸‹¤`fò¤?…S:i’h¥Íoée‹ÓM¤—Ž_¡ÁEcž¼ÙX·ÀKÂÅSËK&(sŒK-~ìð3–[®ˆiŒ“ÉFõ:ÑZ<Ž¶8H)nVóeMÓÒ9Œ„åÀP:íÃ-ºÁ~•C¦v|¯ø¦7©ˆEe2œI^/~NÚgaÊ#LŠÀò¸q—ò_$îéhÚ-€÷°,0ð™•lVH“˜Ô‰Œ×sqØ‚æ¬9Ç¥Ù<T«/ÃK+LÑq…ßM ÅÆ§¹tDb0iLl±«µ•ÐB{‚Ò,ðPŸx+
Xüãä¢ìvµP j!pµ	Ýê‡1ÓÊqæ3P„$.¬&>Ã¡l[@A·à{ª4X:‡OœÏAdYSc’çÃP,íBíŽÕ–>º9x°š«;><[çSrE¬Ql’’·š½k°Õ¬lZt;Î RÐçuÓQ¨Â9çšªQ¹T’“O‘;vÇî•uµY(8>XÜf³Õ&I8èƒ]».9áÒ‡k7Ì¥¬üp=6‹§·Øib(‹.Z1m	v"j†ª¡„
l”îþãS€âüžÒ(Ì_jC}ù,QÇ
\Í#M[nU¬5
3—X!ù¯ˆ‡™à³>ÇÂj_TÎ_³•sø 3?—„²=-S:RÉ?6=ä#Û)4þÀ»üáxÎ\iÜ$›)—Ø›:pö{>ˆ³X¯óBù,ŒÏ“ÞzÆ!P†$€‰
X©+&l²ÖŠ…v5•–*Ÿ@¸÷¡|å
X¬¦6©jÎ”¹YyàCám²ö‹† ¹òCpCïÒçh´_{öE‰luP~àòÃl·˜Rà™ÄÄ/¬tÃ3úËÌxšãÁD·X¶L¤¦.ÂÂtec–¬VRzs³X„’ÁŠÄh;ŽWšÙâHbŸ%RC4¡01
6Á¤›¶µ ¥ê—O'&Ï±˜G§0a{¢à1µ]`~vSì1^Þºòñ:ðQe,øÃCv41uæMÔ”wn°0-D©‘âdñÃæ`}€âuè)~x;ŒAåáúrì÷7aá˜Ál¢°›ß,Çúy£=Ž ]øô2îÜÎlöh;ÜJÌ\Îæ0OÞ“X¤O³·$ŒÉ”ÖCìµÐNJÝýmÉ»úÚ@Òt½Fî¹®ŒýÛrÙú”ÎÈÿu¶3ºÅÂó¡Küd[¦²g°9G2lÅñgLÝåÊØ¿Õq›°Ógù‚æ"’0oæÁE^r¾¹l.N§sP)GDŸ
XqÎPoÂœ“+:±q+ÔBRè>Sø*B¡ÖkH‹º•öØÏzLLœ›j8\R\
p-`9¢[Ø>ö¹®a°¢*|&qtÆg¥hˆž¡îŠÔ’Ä{KXRhtÚÕ\-;ý$_È—M„—Dv¶?„q¤Çwn}<¹¿þ”ÈŠÄe\&Óa4²$T
»óáeÀa‚¼Û,9nt‰æÜæ½¸¬Û©eþ¦ÉBãF†q´×¥,ÃŽê6Õz 3…¬í¦Q»N0K#Yiš æŸ3¹qNÛð<†‚[|.Ýg‘|?ÿ¨Wên‘†A‰É/nK>1é‚Å˜c8 R
>Release-Note:
>Audit-Trail:
>Unformatted:
 >:$‡å•vŠKÒ7>Çâˆ=(”&}æªžA“m{,(‚hq=÷¿]»]š¨ïówïÈ·«
Feƒ¤G±€ð¬|º}ƒÉëÙÑ#ð†eòs–¤j“¼~ìº»ìà¾õÞÆ†ˆ$ß©{æ:4˜Ö4º_Î?4®Ié'/'h’™wLµ_9¬Ùy…èpÇAM~Ÿ¹]2ó6¶Ø÷ßîo„=;o¾Ö\eî;•ê$6–B»Aox`ðXi®A`×œÏœó®9{›Gi³½Œ¸Ÿ=gzéŠ·u‘±ï[6ƒ4¥ôiœŽ_cBdu¦F¥Ã¢3±}XÓÔILÇÓ” «¯ŽÑ§µh/Cç&ð‚$ƒ(ô´_þûï…ÅòŽ$.v
 Xø¥«ü‹qqøÙ¹òO’Kr§9`Û¤o&…¯ à²þf}?.Ã:‰}?b6˜F'ÇyêÇ¾;Ï±Ù»_ù×ƒè°v²R6N¼]1='þÛýî§O?}ú_ô<Üendstream
 Xendobj
 X5 0 obj
 X6177
 Xendobj
 X3 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 4 0 R
 X>>
 Xendobj
 X9 0 obj
 X<</Length 10 0 R/Filter /FlateDecode>>
 Xstream
 Xxœ¥]ÛrÇ‘}çWàMR„0îºõÅo²lF06ì¥%8¢3
¢Wƒh.„à¯ß¬êªÌSÝÕw7,‡H±Ù—ª¼œ<y²PmÔMåÿÿ½}z÷ë»¿Óÿ½Qá¿§mŸnþt÷î?4þ?Ü=¼«6U¥]ekus·}7ýeuÓÚMWß4ªÛ4½¹{úú<üzóÍÝ‡ËkM;]Þl:ÝÒß¸Û}ý0ûÝ§oÒUªqU×ø‹t½ÑU¼è<\ø6Î˜®Ñá6nSÓãÂ—#_ tÕÔÓzc”Ž·8>
ü®R&\¡é&^1ÆËØïù>¥'µáª–~_åK¿¿¹È ØÊ˜xQ“>êîq8òB†–©‹×X›>éÖÿù¿ ruãtx¡[ÕêMçôÍRUû+½‡ít·pug;ÝX±¡K«x¿Ãõé~8ùishmüEm¸_¸¨?Á}¬éj^KÕ›ÖÆW¿ž‡]aµÞ´³µ7©ëZÉb·ñe®‡‘Þzÿ*Kàj7-é6.-Ó¸—ñáU^šÙMËP›S¸C¿}ä±zÚµ©›øuÇíìÄZZ€.¾{ŸøéëË#,AC{lÃR*¿{q%‡ËËñô‹\eŒnª°ÇÆmZWa?>ËB(Õu•O3ô´dÜÇ,m´
 X/ì¦‰wiå}é*¸G»QÆuÝtÁýx9G÷˜v¿ëŒ›®’=>È¶U3íª"c‹/²ë/}aWoUC®˜-óxà;ÑûFGS›6ÙZ¿`·´ô¦6Ñ„ª´2Ûãá0l/ãñ°¯'sëÂR;
 X6ÉP¾?^ÉŸù™J9žiéëÒ®/ýéÂ¦-Â´ÔnÒúKñ½«vùÞâþøÖs÷÷¶hš¸J´:d'²J×f^Y7ÞŸ¢…×è“°ÎèÉHÈš™><,ß¼Û˜z¹Þ–¢£³Ñ‚ºdB»áLKØûõFÿÛbëMÍÈ+H¦¨*ã¦Y£º¸F/ã~›†bèÃS¤‘P«È¤[Ã–!°Býv;<öÄTâ°ë¶Ôé¹)}ËÛOß6EGÛ›|¼€¿v3a+TµÑ)j‡ÃNlˆv×¶1Í°K‹‹´ô>HyË.xî·¿@ˆ¡ËLSÇ¯jU¼Ë=]$[FŽã¢ Ñžgýe¼<.ˆ"š¶ùú„¯jÉñ'óy/]òãýñÌÆp‚Ý÷â^œ])Þu†WFö‰|«vÑÂ\ÊU½¤•š2•¾Õ¤¼û=º:EûJÅ÷`W=Ñ÷œžŽ˜ƒÚÚÑ¶‡Í4›ôÆýAR£ª]ë¢¶†\À£¿¡¤búgÂ”Õµ|ü·òò®RFÐÉr¶ý~/)öÂ°+ªr•™L‡ìÔ¦MÿîûÿXy‘¦ø*ÉAñMÄAU› Yp›î@û´¹`âºzJ^”	LŠÿ|
 Xœ¬¯
 X˜Loõ›\á“À´ì&íhfYéƒû±Ëáùd?H ÐåÛå«8´sXà>ûŽ•ðŠ“½YIióÍ¶z*øòèÃñeË¹AkBaÓÂ:zßvØ}žØ°Õ!ÛF(rÛ55ÁÍ&>V×òXAÆi1‹ŒásÉª*†µçÒ’Å¤ìJ©Ò^¶„Æ.c>.!ã\CE)5““Ïra	ÇÖ³~éÀ¯Qq”ÌtëÊM1˜§J+w~ƒ„@qÏvž¯Ìõp¶Ãø¼Ÿšmg¸rSzuL²S6boziI›3wpswÙöR4@Òx’Ï† šÁYÁßwÃéN5õÂ}£Õ{{>/ß«&*”ÚØfá@ãé,yS²+=ŽÃ$×)ô^4“½wlï/c,¦ h,G8_0‚ ÑT¾h;K°/.ýx(|¡7
7É‡VÓ°ÅðŸC”Xt›ï¯²DP[×’Cc&nf©öjæåÛáX|ˆ	1*.óëþØ‹É›Æ%„B5W•¯ ·ü3˜>Õ{ZM9” ×{wR}€0S°£õ±üibØRŸ˜€‡&S»ß£¸òpYuj2¶‰UgU°×¥+R˜–[+¢1R
Ø£±ôJ1•ÖTÅã*õ‡×—þµÊL[ ŽhDõ¦©ÞÆrV–±˜qu\‹`ßÔ	…L/:-Ñþ\4º‡ÌM5ÄD†„äU²D0ÄÊvw„i7¾ªN¡Š¼4ö\µÏƒ+!ÐB}+•ÖB}+¤Œs•k£¶)ÚßáÐc*mxRÆÆÓ®`èÇ³@ÒùCc%bJ˜‚ì™×gŽ)*cZòÆ7@E!LQŽvuÁÀh¹U»¨Ï¼ÒÒ»ÛtŸ™åK˜!@Ì±úþµdgZrfnh
ÚdÈÇ8®>ö_°ôo=ß“GûQª~Ä¨šx9ÏQ.0›¬Ô*A´õÍ¼š[´ã”ÙÃÒqYá{¥œÓz1Mv tßÉõ°r¸GkæÒæxO¾„"·Í?d™Û·°œÈ#høšÏ·°+MÌå¼>{>ŸOcn&Ö”WÏ‘Ád*ººõ\Çä §aÝ¦B ¸A–©„ví‚YÚØ‰MÃÜ×ïv£'ïÊ2[+ø1[æœ5óÅEL\bÊüÑ^ ›ß}ÿ±lày°QT%LY#ÏA¾Öö
 XŒ«1Hi˜è«Tp•{öÃ—þP2ä«ÆÐ%Le¸ž’'iúªª‰èœ9ÿþt·ûá…Œ©äã³šB»zâ¼‘ô»ãß¥óuw|[ÇÜáø¯¡(DÔ!¨‹µÞ•Ÿ×m\òœÙóÚ6z=¿Í?Ogë‰Í¤»¤Ü°.Ãéi<å\×µ“
6‘ã£¦ˆÔtÖ.hß§+pâ¬()ti‘øÒ«âê·8à:«cí&»Õy<žæÕ’þ-zÑU¼xo‘‹)¾!¹è*.VTâžVÜ€å(àh2‹—Ò7µ²G—Ç«¼¬N%ìÑy8}tËƒ‚»S_  iÁÞ™Ž²¨ÿóÆ;Ån0•¨jüÁ4=}'‹ïë”ÓQ‚–¥@0E]£á<
ÛÇþ0žŸÀ°l7Ñu¶°ý)«<913d^˜¦ËAa2i¹=ö…H‡Ë‚ÚlÍ£(Àé`:@¹'ÇšÁDÈÀ+]“L"¨Òu¼go¤¥$Ónj»(e0½Bþ„øHðZu‰‰NÆwêg¤«2Qnò§|fK–¦)€è6%z-,Hèd}ú[ÌÊ¬Cñ„YéCˆ°ÅÅ€Ñú€›C`UOK€/ÿBi¦ÄKÑƒ,ç0RdŠÑáp(Ð¶,•è’¼¿ÀÄÖ¼ Á0g¥+AþÿGZÚÓÍ¤9©NÃpKe£<µîºz*‘&$'Ûû_K«&ŸvR]è
 X	XÎçæ|Þ÷ÛR*Ôõ&LV#QNr¶™¯én|`ðW{Oào^×=šK²2#¼ÉjK)HðÒ·+4íg–‚¶4+F6Z"KÁXä±µ@â¾ª»
ëVP¸k‘þkå™þ›Õæ¡Ië©6YÛÃ±Ôí¶um€bp…m^y™Þo7ºÍû31AÖQd5Áœobh¯ìcÊÌ‰õ…ûü[Þo‘î‚_ÿ1bûT´6%ì?ŽOã-Û›”Žu Ëeù÷ý©d
VšnÅZ9ë”"sª¸?ÐQ’B/o(¡ó¨úw–ƒK'f@–ÍeÚVûg´RCŸ” ÈM-\ëb>`ªN0¤„¶sM¤%Û:¤4$v‡›‰6¢Œ¨ŸÄÂò¶bUq‡®Žxïñx…zO¿î(ßÏœ3v˜AõB^	´‚ãJ'‰m!F°Ç*˜³ƒm(ŠÆ£”š	U@Æ!Ô ºD‚Õ)	ÐbœžxÍBck€FH%Û%€¼%“Jì®[”& î7¥þ¢}ªÎ!ÊerÕOwé±ºá¼ÅÄ	Yq‘³D‚)žº
ˆf¶(ÒØê}»~+F,u¹;ª'S¤`ÅÖa7œÎz÷T^Í²ëDÎÒ”)v©h‰Û ³ì Sñ.û•„fØ0Ï„fš’yäbœn=Ä-gcE•—²ÃÔY´‚7æ¨‹¼ïëKB¦Ú%;KkåËì¡ÛÜJ‘)<Juç‹túýx)2þXÊf]%©®Áóéx9n¡°“¶©%Ñ>fl;3ˆcŸú8¶ÔtKÌ*;ç¼~/Vvœ†þr=
Ew!6¼Ëà.Êwþ¦aX:üv¨Ú9ÎÅþ©m%z~Æ¼3qëèEãvÚ
¥¼›Õ¤¿Ó§þ,lTíœúò".èLÆ¢<¿VQŠßãéxýÍÊºöe{XÄNZ™ûLŠj–E1CQ'*Y	“QÂúÚn:›§èm äÿjtO J%dR5Þš ÚÌÐ½w^ZïŸ~xÿ}Ó™Ÿo¾¥_þ¨~¾ñVA¿Ò?‡¬ü‡ê_®<°“GB:†^ºÝÇ‰è|?î/Ã‰Öaú› 6¦¬ÝY—2û+äï±QÔJÛÔ2æ†ÖCºkÉÍœ¾ywÕÕMêÐqú&ýR”ÇbåRl†‡%Ø ô4Äiý»‰n°|ØA[ÛVM¤fš QŒ¯p,): â¹Û€ËôóàœÅ”ÓÛíp»¢ð×MŒ¶€}7X¥’Ÿ›I§S;§=ÞÁ
 C"Öó
  *º§þáaÜA˜ìÆSËñmr«QŠâq/aqÈd4òÂÒ¯	rÐ¼ÖÝbçAö¼Þ4é½=‚ð¾lMx
tï|ÓXä˜öý~ÜþRZBˆK²‚„³\£’š/=dê9È‡C_Òh‘6ß÷XÚA—„W HÕº®Òf&¹Ëpòâ‰X®æîF3'@O£wá¾´ˆF&W?#!.%Wö®B;ÉkYö2ËÚó—i6ÅÒ7Ã›ò2¸ÄÙN·]ôS¦Û¾ô§ñx=—Þ‰ÖÉù¨‘5Ü2<!ð…Þ‹ÁÙö±?õ[¿žg‚rç2ªkp:±î†¢¢róÔ<ô'Úds6˜Y/Kkª°c ˜à
 X<:Ý·âÐCË«î2†i×9Ò÷25³¶cÀ bøžã›84ÅRüh?RNðŸšÊŒtÉ¥Ø’cà¬Š8FØ÷¶Ž*rŠÏèÎÇ}šŽXôØ©eœÝdT¢P²€®}‡¥íZëÐÎ4„“t¢éXqW1_½½8\À
 XjÓT}HhÈñóó@¶·“íhéÂí¬-ÌŸ‘ª—wÖÃ÷#R¢ síBïo¥€ÒºiÛÔTgrè|¼žPËh—Ò2«Ã±ÿÏJ|TÎ”ø>4Jd²bœ¹ÛÀ>—1¶µPnV²‚›õ¡gTÒ2•ÿãÏ‹ñÈ°ô9¡;ÖM§B\¢kÝØÄå1[ë9Ì’L¤<kû¢öõýÐ`ùò~àëÎ÷cFzÜ*Ú‘<¤<Ó É,Éú"˜¬2YjÐ•|oÅÖxî¥¨0((5òH	Be„´žLL&'ŽP¥)
 X£S9;+¶ÿò¥¤2§°ÝòÝ|o©Êˆ.?0ÀOÒÊô’Éÿ½6JœH·~¼&:$÷;¿¢ííï÷ãùqØ}%ÁT%5·Š~^_¨~„Ä"B×e1ÌeôEôƒlÒÿýhå™ÕýÐ«SòS3Ü$bVk<<OOùdu±—l;ÁŸÒüKø4Ïþ5	ÕI”ˆw¹m¶*K”<è.ê
 Xãg
 X_³¹DÆ¦5HQË]PŽ“‰hG“Æk
 X,åW«@~øñN>‹ùAdQøÁ…?ÖË<¥’ú:…ÇYÁ»¦¤ÒúÎìËõ¥¦Ž3O^Š˜U:`÷],¼¨Œá^ÿOþóG¥…V ¨=Å[JÊ œõ5Ü-yjà4-´Ž,
¿ÿ§‰ÒÙ
»Oßüœ5–Eñ"HV´,_ó#àr¬Òµ¼i«fá×X‘´¬†_+4†_¡ÂÉû¸5ÂLx t%–™)â¨·]âKÝr¸@».QÛ¬›ñ˜S¶vé&æ'@”ÚSË~½h£>{µz.Îœè»Lòô|<> ²Ò¦çÚåèÙ_.„ØM_hãr³¢ü% “å½©ÔÊ*ìýLÏ‚ñ¤“ê\I(Ä_ÞàùÊ·²lç¹z.d'_SÅRVp$•ŒZ"€_* x>NÐú0<•6ÄÅ°Éž™cÊ˜
åx?{(‚c2¦4ì.¥:áY«¨nÜ,K_Ï—áé|C¹Á¯?ÙÅHÅ	…[ÿ»ú'ŸÚBtÖËÂÚ´-¨šôS2ØÌP¶kR	Ásg¯TžKíHØ³LdªÖ¦8ÍlR C)SƒƒWGh\È:UËíi%eúîºÅ"]Êú.ë©çƒ‰>–AÈCñnôÌ‰Ï„Så»°Ä³s™ß9×M	;h?U6~{Þ Çl:ZR¶oi,3(
¤ˆ@° ‰Æ£€É×ã_Jæä ]hÇ”æ³²Q' ¬TKKÉZÊdŸ‡ÃpšAsh4%®áJpXÀ^L$¤‹XùÚ£
 X—‰pð;yP[·*5x5ÏÿžÇ§ç}É…eÕez5ÝJŸ¦È_â§…{QyáÒ¤[-|ó=îªÍ	»DÑ™šµDæ•p¦k¡tAÞ€þšÅ<Nz£+b˜þÿÏ¯Y€kü,œjvsü„h&K°O_?LCÉàÔ`"ˆ5AOCìw,—šRå’ø‡!”§õëÐWìÁÈèŒ^Hh]`"4ÓÍ™Å[Hw¡0ž/åÚ©òðí*	.ýé3Nº×å„	õJ¿ÍÒ(pdñîÉ#Š™u³˜½Èdp õÒk•ª©âìD^$áý”šI$<C–^ƒ•Æ‚—ÜyØ5ù TñDúEÕ,¯_ÁŒag‚Id‹Òj„èã„.¸¸ãÃ-<rˆ¥$õè"…›‚´3¨–šøáÀ¯KqÒzVƒŒµJ	l§í´N„”gŠG˜e¬[zm•`<SÆçŒ1nÓÁ/M`H†Ë°ÍEMÎ¡Òa<QõÓ?þ
 X"Î®¡§°Áƒ¨ûëw.u‡ñÓ?ÓR¢¤b7pÕ˜–|ü1É›%¬ž¾ŒÛ Ì$¹òˆm±Ž^¹I]&B4Ì€ýæ´€W½¾"ÌL’·ß¿>÷çóMÌò©oõÓŸ~øùß~³–;Z¯¶ÜaÂ ÜîÔÂ	g?m*c×'?å˜8Û‰[©ù¼Á…ºì+kd¸ÿ…Oeš×;0Fw^°N!„WÍûì¼"’€v0¾–¥ÝM	vÿXˆ	v–~¤…ã#fýH]¥2CÉÓKøŽV¨MMÖ&ú“°Et§˜PL©ñ—axæ`A«i×1ñf‡Ê¸Dc
 XqNcåñ	y¬cÖFíŒ3{)õ)0Ù`ª‘©KªR\—àŸºÈ%ã.Jø0Û Ú¼ì5Âc°”×²@¬ÂÄÊYÁláÖÐÊµ©aoó†t!âÀæ@8š—øû;(Ã¤F2¢íã sˆ’"±É%œ>%xœÙä£ØÜ9”]ôÙúíå*J\™zkì¶ßCÍo¸ÓQšš"Ïþx(²zÆÆ!!)âÄ‘ä1ï*2Çy¤~?
 X.„)ìóÎOÄÊR9Cñ5e4ëf [ž¹.!“›ŠŸÃÈûùœjf›ê¼ß5@f—‚€´ëJT6+ñ §È&>¯'hpH{Bû 1:5XÛ:ÁÅÝë-ø.·ÄÔLÉ}èŸ„Ïä€|†œÓ¢hGô|%|üÃFJe®Z®o´¿/«TcueÕÌ¾{îO(ŠLE(9(ƒaæ‘f-S{I%ÿµŠ€æÚJ¬A%‡§[Íàn&u]j§S;%×³¢›«2µðš&²‡xFÍõà§Š HÖœP@m¯‚Äy'=Ÿ%BØ¾Ð¿	³¶Ê'os~¶*ý…²! Ó˜éÀÔQU˜yÊøä8j‹åõ)}³„³ßyrÿ¹HéÐrtL3Aƒ[ã×Í;Pª¼ºÀàð€yãL¨²4‘ÓyœSÍiÛyÑØð4S*çÔG
ã±ÇaÖîåó0ÒŠÃ¬
†P¡8kM€’&’»IMÃ®èÉ¾qË1Ë¦“Æ§yœ1SYøf«ÍÒâ<û27?¯rói‹Ó°Öc‚>ö¼Ë”—°0i‡%2‹:~c'ÚÒ@ž¯Lä¼¥NPH
 XC^ïD .ã1BÏªßQQO¿˜øÄŸîÆ£b†Á£bQÌdW‚y.;UY0ÏÔI|¢d˜HÃ'Ãá³Ÿÿvé†xàÊ[YFÃßÚ›•ŽX¶Üä¨2<»æá˜Í¢r{•³MÖøÌZ´¬wAæ\T*pøJ’§ÌlÑ‰UÏ·°¡Õ¦À”Xc›:åÑy—/'ÍryBÊ²dØ4Ac‰QæÞÊDÎ|§Ê(gäR€qÎ«"TÂ¼ô¯¼Y~"4:eÅ}
Ó³÷9
§ê”~j±Âã©Ø˜âT—ƒÏ²ÐâÔÂ+ÙÓ¨1~Gwe[hu¿©»Ò›¹¸h&Â§ ŠV(·©LiÊ‡êfgñ»„×ä]rî¨àë,húY{îy†ç"$ÉtÅÿù8‚-qëÉã•	4öôòš#ãngŸ¢TYyÿ)6}êþˆJ
 XuÓ# {tî Ît&ÕÄÊÑÕò¸ß”dZ{^÷Èq‰Òˆ² ·%ËJ#ŸVÍÐ]-€éi¸<Áz°¯]zé«G¾_×“|ÂTÂüR©üUéLo+¨Zõ]»ò¡ýžâH2¡ðt8rÐI±‘Pœh
 XF¢Ã9
 XÑ5 YÁ9
 XÙa4A)SçëuÝwA;FžpZ´Ñšó8«’ÏÃöz–7	I:e_¸´à.H©PÎÕIãÒúÎ,ï=ÎÖ³ÐN«ù°˜°ˆ7³ÓfÑ89K;Ÿnˆz¨ìXCH7_²'³òVÜŽ¨‡®ŸL
 XÌ›~}Â•
²³Â8á<`¹L¨‹…ºlŽ[|#{UÍèÎ7I±Â…€§–åÃ¬º»,ÝÊkGUª‹Ð¯t%¼5«óúûóq½à1÷¦JxÒk™9÷Ïö0y+0ëV9BGÖ8^®@vÚ¦Sé`ÝìöÓ)iŠ¦†IËÑE‰žíáz¤ÔÊÜhÆÌ–d|Øe^9ìŠ_	»ÒÖU<mèó9?3%eµ	r¢²¤N*ùl>ËûŽS^uœJŽ:hó€Qªu˜/ËP´'ë‹qO–‘ì±a-)(çÚ=ô	Y©ƒ à4|äl3*!ÕÄ @†ê÷£œ9¨]S¥ 9Q%ÌÜø¹56Úæ'¶Àçá„8Y"‰é¤o¡dŽô<À
Je*’KÃ§ñó#à‡fqpk®§ó**W§h^L'EÝ+M×Ã¤:þrÝ{mÊý¸/ãp–1Æ6#zAÈ1üãD‹Ó½4$?ÕPÏÓâ‡qÂñ«©]—ÕsT2Û6©AÃß¹‡SHY÷Pžœ
{UáoNßórdSf‘#ßg]¡b@°¿ùØÕÏºt	¼â!wøP:ç•Üëõ4L¯¾þÃgVPÈŽ>òÜ2_0Ÿ9]¥Cwñ éÕ¾úC§8ëªŸÉoOØr–È¸ë‡ñ7  .Z“f+˜‰zÞ÷Ï³Ÿ±H
 Xç›q‰>O†Âõ5ðÂz5ràý€gœ
 X½Vè^WÄòÐã•E³ü2O/©3‹³®ú«¸.dX BjÅ¦=•kª^îDX4å‚z× u,À"à;Vˆ…Apk¼ /ù”ú.ÅÜTˆa˜¢(ŠDäiSF©héÔ¼Nj5›`|,y×ÊØq‘íð¬m“ö1c<²S‡gÊÓ3œxV+(+ŠããùšD‘4Ç¾8ã óé0˜d¹".€y•ûþ-`VZ[ËV>`3ûùJš²`Â,‰üÛüGÉ22¬ÓwÙžÓzEù”ÃyÛîü‰tŒ	:J].I³Ûðä£•³\2î§d¨Õ[RRX-¦Z Û®mã)ÓÀf†XV
~Ò¨ÄÉ)ï8ý1¶ûë÷Z§ójpúü|}ÎäM@†ØEˆ!ŠÀ«–#ªÌ-ÃAÏý)ûQä“c¸–c^OÇß<-¾GÛnŠÿTH^¶÷òìÌùˆ:‰n´ 6þÐžNÌzµAhž¤$ÒbmO£ók=ÁcØ9l&Ð
 X&AGÕí
»Õyn~úðñ½ˆ¼«±	6	?•Å¥ÃTà| ò˜«üù”kRPPôçÄLA!AnÊåê(ç¬tÝ|•©ÜmÕÃk{*“¨Áý¸-†olš€úŽg‰ÐÍj3>Á‹ÊÆn6ºè×kvŽ [oæ¸gFÌð¡Ü«Ì'Q$fZú)Üçy¶ãÃ¸ÍÈJùf½8úeöe¿?¾¤aàÜð)ñôÄûRb¢`ºì_,2}qœfBZ•™Ðˆ•‰vz"ž®Y:ŒTü%XŒåàbÎsþ‡Q{+Ïá™‚kyð
 XÚP’]„îm¢ÑJÂ“Î¡¹U¶	¬D_úqÏ-ýY¯~vÊ1å'udª¼Ç‡¾P«Ì3@‰J4;+¥ü3Q`üC„';M·–Òn~¼×2ïfÇkÈÛä:Deóc–Ž%
 X{…Ëff
 X[¨s•›ÒvÖ˜bž :oñi6‹±ß?¡yÔ¸4r‚°~ïOO…Æ‰ÑRÃLá>;°«Iƒ””:˜XœèïéÛþrwó÷w÷?q™4•endstream
 Xendobj
 X10 0 obj
 X8155
 Xendobj
 X8 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 9 0 R
 X>>
 Xendobj
 X12 0 obj
 X<</Length 13 0 R/Filter /FlateDecode>>
 Xstream
 XxœZmoÜÆþ®_Á~	lCGsßwëº@R4€Q´Mýb  î(‰5u”<©NÑÿÞÙå¾Ë“ì6bçnog9óÌ3ÏÌ²*IQÙýŸÛû‹ÏŸâ>lï‹®.Þþ¢ìW7UY&+#‹«íÅô;Rh^ÂŠ˜Ri^\Ý¿ïê±x}õÏ‹
¬¯Œ0’q÷]jÉá7W»W]ßrk`	åv•]AIi7w+üv"*ÆµÛ¢*¥ð¾ÿÓ_â
 XÆ8UÊmÁKXêÜtõíÂQÒíBi©©?H½ß¥%”*'CÊ=[2ôÇÃ¶ÉndJ¬…Ü>‚T†î³k†±Ý×›¸ŠWJ9Wnˆ¤¥a²ØRim¿ûU¢†:‹U©+oñ¡?ŒCY WÃó“ÁÕöèèRêüDh<ýá§`ˆp*ý×¬ÌÿcÛÍá2žFÉJiâÌèÒðàÈnèã>pdµ8ïx×Ä=Œ=ËdI–ðhÓÛO9/n„’9/Ãî€½`dh>ÇRK]ÑÉÁš”Ô`ß´M·â‰a³	Ö"tH'Œ™é™pLÇúS“â”"
 X»PâÏÜîÇè™ŠkÃ+¾ûvÛ÷ãez|¡˜¡n+fàÄÒÇxñ€A…ªœ“-¥ö«¶]?´ûÛ¸1ÄLp ‰RAÈ’výÓ>7UrFçqÛL~’Š{/ðDOí¶É‘)çv·ª¿IÛ+<Ðx@jÿ`!}Ü·ã´Ò˜Ê¤”a«›þ¬Û9QÄƒIE¨\‡ö1PSª…Gƒä¼ðØkl6åžA”'¹4sìÁ‚Mq"I5¥(YÈ¥Cs_ƒ³šCÎg¥N÷Îz‰%‰ÂØ©¥ú0¶Û®É„V—4ï´8ÝåêO?!L’ŠÂR²(`ú±ßö] ÜO0>¹O–a·Ñ1$8UÌQ€)©Öñç†ã}³Ë°T…4°åC*Ý¹yItd£.Ñ€ŠpOzRyûˆçÇæYN2”)RŠQ¢O
Ý8úÜD;Ì1/G6É‹¶¥]ùöYØ3ßL¿!]eìoªbåË¦¬þ{·+†±››cWLvlÞC¡ÙÚ[B¦½Býžì3ªˆð{sZ0À^ÿ¸köÍcâJ-Y9Xò”éuJ'Ë¯Î«@DƒÝº5.á0
 X¢ÀiÓ&P°xÂ@×õO\Ê©Z0žRäúK&E ´ëe½!ŒM=¸‰™E&‘©ðöžÈ´ßåŠÄ˜TàØ!–'²ÓVðm°ôØNÏ$)¡FÒÄµ‡þx{·|0ÆJ£—Y[	I¨×F¢¤áÐ	ñá÷>£ÞEwý0^f(‚–$G4Ø‹'¶ò^ŒbæE)à(zÅ‹.öC.ýI:J{	Ò/£5`°
 X•›Äš:Š¬eÕ"bAÄ)# hÅ£ÄŒ  R¹˜°Ì |B¸üLÀàLð©ü³’…04ûñð¥L‹ÀŽòUØ„óþyÊ0ZÆb‹ÂøÀ‹ $êÃ¡}DI"ø:PWÒà³cÏQÁóÓýq§Æ»™I„ÄŒ#N,ÄtÎmÒ²J{Í£´FrÑ}=nïš¤$š…#	žþJõq 1ÒrA® )þ“ø…òÏ&fˆ†då‰…h¬¯»&«O(PZØ	 h%NeÃ¶šìUZ“C<héž	%j´ ž
 X§N…Â¹8C-¬JO½æ;@qÎwA
 XÎ]ë
<>¯7'ÅZÉ(ƒŽ;0´C§%4dL$Œ6º¥b¶	¢±lMßï›m3õ!iW$)6DÀsÍý·ße²Ë¤”ÀÙ•ª-æ°•bø¬BAÉ[8ƒ@fVk+mŒ¬ˆT\aòí¦[93éMž‰Íâ!_RDRæ¸¡@=7`Œ:&¡Ö{Rú ƒˆô‚"6–õnw×_æ6…š€·ÓFª®4~³@"¶I.ôBp_Ì¢O}#?¯&ªÝÑ¸J¹ä–‡t!¶KÏB™†ˆK~Æ2Ôb¸·U–›dJÉ´·–-X¨í<xÖ%¢Á¨@ßsN†/è ZJ`á0CYäž³²La•r¥0„WÄãE•3õ|Môîryˆ¯	N‡áT5ÑVDÈC³mëÔÃphvµO©–m³Ís(O-q(DP:cÇQzdà¼Ñéó¶JÕ©ùW³=bÒŠƒ9ˆªÐhŽ&)«”w2NàÎÃ><‚L"Aiû³SDœU%µ´:ã¡ê™!Jyº2äÑi$‘ŸòÌÅÀÊxGÆ`Ï…
“<=ëcÝµ¹NW—¬h2«©pw€IÏ–!&}ÓjYÜ¶i˜”*"X‹ƒU5Y%„Ÿ¨Ih«¦¾žZùçÛú;„/¤ØAT™¾'”$hµ Ãò¹¡›L Æ€SMš8Š‘þM$;JAÊÎA Þœ™_dêHcœú5£ÒœË8×*(°žfÛî›üÀÕÎ¹hfàÊT%üC±4tþ±½="ðQènY¤™À½$Cd°I¬B©—Ä0m¼gâˆdhïºòÕvÁ!ÉÜJ%%(ZŽ,Ø›Ã°ÖA?¼à5ÍÃE€ó²Â•4P**ýÁ
¦Ž]k9±S%’é™àž`[§á+·ºLøŽZãÍ.!ëx~³À£®f¼CòG
 XE§ØëR«È¶qlÏh(@Ä-I@Û6óâl3]ÓÑÅP\]JPÔœ¯  2à¤)oS£1–I· Ën/*\ÛçWÚ;sß£;kü¬Ñî]B$ÙiêTgÎx-“É8|;Ã-RŒ§ 8|éêdËªåÍpZçOÄgU,'¨Vd9¬ˆCü¡¿O$A?2œ$Ú};BÕoÃ“'PUq²¼ÌùËÛàj·|ÏØ
 XXM×<Öû±ûÂ:v×Ûãà’ðºU~YØÕ57cÑÇ2êQ	gÔÎ+'!¥7™„G˜Åædü„†=Nãw_æ)Ã=zcY|êŸùsÛkŸ
 X¶•€
h¼•ºéÝœç÷¸ÉÝYÑ$Š/ ’%ÁÞîÃüéí/ iÔigáþGBû:´ÓðÕ&žÑþ ±š¢hƒÄš&h<õ;Îü\«ù†Ç¤Z:fnÆðˆ8ß£Fo½>"-å Ezâg<Òý+cÒá¾½AÂÉNv|…S˜¾¾ƒ;²WiT»Òø˜TTO;‡,n/"§ˆh4(šz®&Ûuq–†%kw¿È¬¿c]hb{¿ÿ!¥;WKÞ“+@¯În·ý~´¥äQ“šÇ .jß9PÿAœä<+›ò‰Â©ZØãî¡!@O©Îe½
 X¾b"ÞTDÔÐ4©’Ši‚ÖŒãÜCŸÑ
 X*×k"EL”k—õ³;ñÌˆkv»‡"+£L;óÑKÊ6ôJÀ<Û¢]Âj_–;4…D7ÌÈP–; ÒZed6u»-‚’:3ëvïÌSYçÐ„`p•mÁv”0_Ç³3Ðµiè|Ÿi| ¨<
 XL³
 Xbeµïùâ\òûû£‰‚Ö/\°Ä+Þ^²G\Sè~d¸²¢Íe½‰©³’éàmbÐ%¤c$!a@ÔÕx¨2W‡¿ƒfÜâ†Y3Ûßx¡Ek˜syŠÆÔù<îyÈÙÙ*¡ÍAˆû4¢Œ˜€¡_áügpü©cÛcý
1ÜÒŸ¿bRÊæ™¨ ÎuÔ¾°RDîÜ~ÊEÉûÕ¨ð260ù  Kµ˜|E<·ÚqVP¿ÂùŸÊd#µ1¶—în€¡@êûÿ9÷$lñrÓ9<P¨„ö•˜™XµLTœ½ŠsJCÓ'< $çó'?Õ4ñ m‘ÙþÑ¿70Ïk¨‹Ì•ª‹®¯wÍ7K”ˆ©ïáåß]ÿd¯ø±èözºÎÈ~mîÆ“¤;êÜ;ÆÞ„[¿– |9ÞŒu`CŸž—õ•\ˆÐpÓÀÓ¬7ÇCýØtC&‘Oy²’I²Ì\öÍejœÊædjªë‚¤—²u]¤¹"¶•ÞÿÃ¶¦¼½|6q¥›MÎ°“óoEqˆ£´P	M"Å¢µ¹i;¬qÒ0êWlôŸÚ1óÊ0eî½*4VÖé%»U*Õé$˜Jçsû8Ìjî^u:#3}Êô=ëÔƒÞ™ýzÖ›yœÛKëÐ‘®xœ¦ÅOŠ†ð²TUö YMaßŽ]÷9zwEoÆ~nü˜	«>O¥&JKwÊW¹þÊQžíµcåžõÚøX‘†|øX¤©¥Áçt"Ó¸È	4R]#à¡ÊMdP7>ëÅâ»œ:#¾Êév£BLc8‘‰
ÅcÝ|ášÞòBM7×¡ª/ÔKjNVY—ž¾8¼ìÓ¿FRæ%Ì¼H)(Ÿ†rçDNRG\Øtuƒº–_µé³w—³•Ò×™
 Xš·Œ_ƒÊ†r¬PzçÌN=Û oxe§üŽóÿÏÛ7Á•i}Ul ®TÌH¼²xSüh(víÍMshöààëf|²rˆƒ
ù¶+<ÕMÎzàÓpf† 3|nämZ¸¶È2Íûb?öwÝÇWãöaóÇñÎV°¯ß=ÿc[?†g?kÖú®÷ÅÇW-üº}øu8lK ãÝîP¼_´|8 OwG³€4Þ¤ÖGÞ¯‹¯Ffî²ä•áSó³þÙÄs4Ÿ×ÌöÓ™À~«®’n
 Xç‰[ÂG/ôÕ
 XYÍ¹'±ƒ¦s˜=ËYÃ§p]¸%û,÷ˆÕgÉ>Ä2ˆ'%Î<í›â¯õ§¦pç›8´¨¯‡¾;ŽÍ7¤‚VÆ¶¼3þPT_¿,„K?nü_ó¨^là‡€~ƒá„…ÿë»o‹Ä9à¿)>ÜøK—ÈníÞ>ôÑýÝ²™EÏþxmgAÀkV3ÁøÑŸçMá«éÐþÖýd/U/‹a´7àð)¤L€ØuÍÏKñà6ýÿS.œÜ³æX><Çš'>v8@ŒL¹sûß}‡q’xÔ}» ÃgaóöM¨DáÃzfRs“\;ÉÙŽöÿ–{žãg2{r“ûyÜ&RÏDpï^ ¨ü6SA[Pã³õböP6¾¿{¿HNñ|X{¸	1ðßÒDø'[2¾Ö'“k>ù6×."ô¿¸öÏWÅÏ?_üƒe\`endstream
 Xendobj
 X13 0 obj
 X3934
 Xendobj
 X11 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 12 0 R
 X>>
 Xendobj
 X16 0 obj
 X<</Length 17 0 R/Filter /FlateDecode>>
 Xstream
 XxœÍ\ÙŽ$·•}¯¯ÈGÙP…¸ÙÆÐ-X€1ã/øÅÀ *3ª+ÌŒR.]ÓóKó¾\ïfemcH,5ÅÞ}!É¾`þéŸËíÕ/W¿,xËÿXnŸn®~øW~äæîêš5L(Æ˜^Ü,¯â/ùÂªÆ™E+XcZÜl¿[\øk}¸þ÷õá¿WëÝâßðÿ¿ûÍÍ?ðãÒœ-®]£|o5ûÞÿŽ¦‹KÓýlØ„n"üÐéÆpû€®†ÅáØ×‡ãzyH¿šm=üªmcmüÕïæh®y+	h^JOAúãâ¸ÞöÃé¸øÚmNýÓÈ8kmž€ &˜l¸}
45…öÐï·ëãâ¡[þìAðo‡è„n”35t:¢¼á\Dtf|„íçXþÃo3šÕÐ»á¸ØvÇåýâxßÞö‹~wÜ[üö‡çÉÐ“²£ÚÆ²DêU¿ûö"JpÙh¥%`ªKSa&ãJó¶
DQªa Y×Ü6J
 XÿƒŸÖ_Nû~Á?,þk³J[«~±Þ>lú-ìÄxØÅÏ¶ÓÚ¥¢ò¶ Å×
 X¬@Üößîû]Ø³Ç*€åÖÏ¦im‚ÚåÿÌ,cÆ†/µâÚ¹$‘y–f¬ua–p
Ë:³¶Àž<ÇÁB&lUØF÷Ãœõîû<ƒÕÚH6Ù•>âyš?as*ÎÐ
wé_»ýº»Ý¤¥j¼È$ sEÝ~SÍ/ïà¯@	 ˜iùE– ¦œkM¤TãtZ»Ûž^ØÉºŒhxt ÝK÷ÿUhÝo¢±È„n_HÃ[˜Ñ&Ê´Ù2(‹¤t‰º
 XÍñœú<XµõAœ‘Ó5öýá¡_×_	›¬±IwTÃe¢ùÝºß¬<`-ÚÖdqx6?Áê)œ›ÿ„§™vÙT›FèÌÆQ†ä00ÁË¥'³l\Ö…›¬-asN:k3î‚ë±’)á„Ž;cM¶¢Ñ¨WÊš6ÊOmÚ–'yP"MXv›åif`õái©S¶1ÈBp=w¼ ^
 XP,9üÜ?>!˜ Ùö	¥C—Åö¢RÀžÐÔ,¾°°â•i3M¡r+“a/ºqàD\áÖ%”Ï%›`ÙZ0ŸsY#ÉòZYÖÂFÑÈÂo2CºÛëÂu˜!Û¤ò€¾‡´=›Ó±¯É>].ˆˆàŠ°}©ÃŠB5ÙwUý(&—ê«YAXþÂj}w×ïûÝ²º”‚ˆ&‹ãKÖ"Ö…¬õî;¿mx¢±hdKÍ*Øtâ(Z5™ƒÞgM@Sµù6_T3£ŠÙC¿†3Û)ÚŠ¹ƒÅ¿hîZ«ª¹‘ýÔÄü&OLpLü°²É$‚‹5:Íy\ï/9)° ^Çš¹?í$¥nl^¡BwˆOÁO¹3„?‹Dƒ2gùO»J
 X˜q~€”9r+1ÏùøÜŒ{ÍŒNä¥V3Øv©¢²…€,í•¸.³ ”0é°í6›~†Í0Ýšäª¤,âÒíªêÆC8õm_SZ±QÿË©ÛÔÝ´º6h'frËá\'í`™]›îp¬WêVh\•VYï§¶õk¿‡d®_¡@0¤#K_ÅîõðíBÀ\Z›væ0!U]
UgBòûL'ç^ÂÄ9¹Š ´ùK5A¢ø ‘ÚÂóâÞK]¨ìÊëÒÖû‚¬‹,ÔdâØŠ#²b9•àocœ+úˆn5‚°!Zã´k cÈø¨?>í‰D9€ p¬„1DFàA
 Xô™ø8h»ÌÌ±….,¥!O™ÑÌÊ©É-Ý‘H‹±q–È1¥-áu¥0¨®Ì\)É¡ÜéaåcÎE·\ûÕz÷eó‰¢l4GQ‚Å2lk³Á@ÊAY9 XÖ¶»nóí«@ àÔdirøv~ríëO`Ó=U ÞÌ4
 X] “ã†nî	[¡tÉ.&¼ƒÐËEÔjI$6›ŠRªËìÒ¿äL(pÊ0„&y-Y£@•ÑFFy¶öÿÓùÿP
Ð80tb8®t6åÙÖÖÇS°xäSÞá’Û×À'ª÷ý¾Ÿ81>ÑÖð-é&›$¾äp„ƒ‚A4©“a/”Ò•‘û¢Œ¥È«3ûÝ—õn”ø·QÀKó¼Ð¶[‘P_À”S‹ìöÃ–¨¹	åÉ—}Ü»/è<`Ï,¹ãjTWýr}ðÄlªŒ‘˜
þ¡Ö™JLÛÂß:G<Ó(‹À÷•ýAR=ßßØAŒY ò×‰‚ì4Q’¡ ÷Ý’d§Eö!äá“êÅH€Z’eƒ5ú–PœsÅùtû‡ûáq‡™œmµ*Ì-uŸ?ØL4à9&Ï `Œ”|Æ‹¦æÂü†žÓKt6R
 XpèZå|ÁeY½6%š¾p‘Ã™iuh3€ßù²¸ö`ö¿_ÀÒÁ*îWàÎáß¾-|•À'¯ÎE¹Ì	VI…zßÇ8S°Q‰t7–X5¢ü¿'¿	¡¬)‰ö'?õ÷7‹?_ñÅúJø(÷ñJ-þüx/¦}D"Á<øxc‹#ÒsÄbsõ×t"¢Ws¾¢é}šT"Ðîfûûàã›áÿÅ§g~¤`Æ) 2ò*@‚¾ÀG€>?á˜€é°"èüu(þxW4öP<ø½ä d²
5ˆ¶•ðw’õRØX¯@.Öy–OayW¼f¥¨—w‹ùšXDãBœƒÇyP3 ÂB®aåQ‚À\f	*˜ œøÐNéÝ~ØROÛIžÂdø±¢»! V#µÂ(Ô“„›dTNH>¡=Òši›£TUÀšÅß$ßŠR–
 XßrØ»õŽÄð–µ!‘-&¾m!‡”wZ3a
 X/ú-/”.ÚP…®
Y\T†»YÚó”4¶mÀeòÅ7)žF#PfÅÊGGÙÓìNÛÛ”tL‚°ÙyÃ(cLŠ}@ ÉNµ”Ãç$£|b€ðÂ‰ÛÓ±:ƒ¸Wß2Â)„’O§¬wËÍi•I<Æ«8†„ÞÌTd<'ƒQpEE"GËÝÔsn ìIµšiNFªTÌP¾F%@*_
ƒâa½a
—´…„_kU‚VC`Uœ$G§C…zÑ/Mˆ,+s6‰ºnŸNûâ7!r2S·õD¢ß¹n‡}_é&U®5“Hºž‰WÓ5¢Æ¾“mÎTÑÊ ‚³<««ä—Ö÷C¯°Y:)ƒ@r{]jÚìE <õÒJhð–U"@¬XÕ$@äÉr`Iú¯Á¢üãRQ ³uXs`6mŒìJ“lT€ôÄÐ•“¶õšàôi}l-Y¿ñL àÅnxÜô«/Ä£iƒ8í°‹Q J<X1\‰àG‚_¼-%Œ•ÙRÌ¹-Åc!}•=¹’\ÏøTù¹+*^·nøë3Ö
²Þ§i3nšÖ©qK1ij_@ PªM‡þ¬á‡ä±
ù’wbÿqûÔ'±— :¥Sxs_[XPêâd¥qd+¥u>Ï]#P±øØ®ÒüñF´šç¢ „{S‘³ßjšöœ?ÙB!	:5Õ%ÌªdF±6Ûa)—‰¶í»]-‚t´yJÐ²8c\!"Q(êøØæO3!¥jT“D`JµÏ×ÉÃM")·'âOôqUž)vA‘Nœ¡íÝzsì÷ ùsØ_¡g>G4JŠ–MË²÷ÃäªÊòrŽ.µ¯WÀ´–Ã6¤r`}a 	L©M/»C>ÃqÝ7×Lªü
üøãTaúþ@£8å€hS ûÃg$oixƒ_Va)ÏŸi|ÓC ¹ñ=5j$ÎFÅÖ¯d¹Ù˜ÝÖ¾ßô_;j¼‘,‡Ä.‹ÅV´‰Ü(¬xOB „VŠ)”T›!¥¬®»Q‘çÛ|Û`Å\¥ßþ4DÑa»>ûi~ƒQŒ–•t$~ZïÀ~+¸ÐíJ…¬]ÏÓ60¬x¨„Fu`ø ·m“’ëÛ§-6\PA¥¥´ewÎfcRZ2»aWï“Bà™`·Ö–Vªö\wø!•“<ÍïöÝ'EcšnáçÂˆÔ*ª¿/ CèhB
å÷‘é>Nìct×*á½”¿øëéáa@m%1"éJaŒèËã:Êkëûd9‚Xsw&W¦Q³þ¡§“‘:ñÃš#‰<ÀÛ
 Ûz
  Ûc;ö[ ‰ãó)7HKLLÑ²ûñ¨V[•<H²ÅsaßWú`{];ï‘‚²nL9ÎE+Ê ©‡"¼œdAñ'ÄÐü"Ï¨Ù£,‹E²ü†Iñ³È^ûî´÷éFEþYS+PÿTí\wFpïÖ{Òÿ"I	‡ˆÃÌ™”ÌíçÚÞöÚÎ:â¶Kc£©ââi>rŽå<Þ˜ ¬ÂæòEù†çF5ƒˆ
 X73ŒEÚP9›Y*_vYÈ&ÍPJDìx¿N_îŸ.›
 Xà³…Ÿ)§ÂVoV÷ÃÖÿ&Ô¥n¹ÿºñº¼-ÔN‡þ
UMiT8\ñÖífûÝe‚~”µU«œ/£¤µó_·ö¨€©l¬âàÚŸ÷¸e®}æà×ñí²¸kée&¼ae	÷#í—‹°ô§È wªV§©gð>í£L´<¤”~;0Æ|h›3Æ}ëu›®³ÚjOFØs,\Ãz¾pÍfG¬e„`…1Û(¢>á§¿Šd¨¼”ÈAxÈÅó© Ìþò}{9µžs1ÑpÑØP_zþ´"Ä…¥Á0gLY¾Œ¼jù:Íqyñ<¢ÿ«T'í‘]k_Œzá®e• è::¶¤<kEþIy’:ýI{™þü_)õi“„àdûÂ]ë*ý!ªñ†'ùQ¥{PF^ Nv ]b·Hˆ.œõNâ=¤^ÊFøTsâêÔÏ@ÊÀ«€Ô©@Ô¯ËÒ§=òCªíC¼÷zém0´^äe•èeý2òªõëTÏëë_—Ä§š3 ¿Ô½ÕEžµ¡X2ù:õ’2ò*$uê#óTzÍ	çëÔÓ¢ýç0ü\ïÃZl–WË®£ã²¤®ÚBêÆK5“§²L8¡SÍÌ…Á”hØÕZØ`ô5ÈyA‚îFY$‹§ncS&õgc™€æˆéðŽÀ 2&½…‰fËr×ŽÞÂ‰€z"—O¼;s0õ	5ÏT¬dÔ˜J¼DSiRu˜Ûçâ(wˆIoÏvˆÊGª"‰îO•œgu¥g¤µ’LÉ'û†-öî}ñ.u…´E0Ú”¹ÇœŸmcÒœÉ²ê7Ý·3ÇKK;…Ö|€E¬ÍyÊEÏn¿_%â…šÀðÜBµ*Â°59ºSb¸PvÎÄT®¯5Ÿ¥F]ð%yZUmÅÈ¨r°«»+ÍeÐLØu®ÀÆÛL¤µO_-î_ûY€”4fna±pwS¦‹7Õ2	’óe’\CIÉþôK)ÙÑö1$ñLp·4} 6` ê	àqî³ÒN¾rÌñl¡JÕ|³I3_:—
 XÐ²É¼]öÄ^>=
 Xª#Ï@înr¡MˆWølU©íßó¦ÕeË‘KM?S°²X8GND»g Ûm/ÊÑxzÞòî“^ÇøÀ¡×Š
¦I?„4êhcË¹2ïGåJ¥dnŠê¶¿ªÆÓbOûìE#W?Fê¾!U}á+²5ÿn{¼yŒgÝé1ìéYwÒD6ÈúÛÊý-ßšoÆù{”çZx¥úï¿ù€ÑäÆŸ67Ü¦47´L_Š9è‘?+[™nõæàG‰ wrûAléa{„à´iE^@éÖ&?˜cf±	€ÄÙå¬Üèü)Ä^€aÚÐË \¼íB@x&` ì‘G¾r%ÂE6rÈ`?gTBDÁŸl6F:oF„’`Ù¼dIÒiF¼í-x“Ï•ã3éÉ‹+cx)Dì;ˆÎù/„	k&—qŠâ¤uáƒs"	.n‰bŽû^_F^ŠÞð‰€“õyþ~¾&5*=Cöá+œ”¿aà¹«K1+ñù=þËþâ—ÃÂæX®€l¾²NÖU&ÔAC‰xŒ…0ö"6Á‰ŽJ«8Ÿˆž9¸×Æ¼Ä·¿s‡{&Z3
P”#PÀ@á£¡('C0G‡^o&²‚ÔÄ7S‘If7Z„JÖ[WÕþ¨#]Ô§–s™.T+#„l 4Û+-dH£^·ÎŽKEì_	äq3jªÐ¹CÃ'æò™ù”Zæ¶À+#Ëd×Z"ÏÆ³©ÁQw"(’o–ŒÝ×˜§eÙ2òæu¿ž$H…_rÎ¯†ðK(q©„ôL~ù2@ûj~!²4ðv`‰_ˆkRÁ3ˆ°ìÍK–Í×¾È55çZÂC¸ÆýíÍwáÇéÆHáEÆ!¸4ðflÅj#6QÇF¢†º‰-àÊÈkÐ‰*osîY¬ÕsÖ&8„µÌŸ©|Ö2®»Ÿ'ß%Ö"¸4ðvlI'çÐÆ|++—‘7/]ø†k?O!Íœk	rM8ÖfÏý6®AZn¦Óž+ 
 X¡¯ÍUº:Sña“*Ozx;ò¬®¹|¥ºpyäUèªêJÐ=W]Ûã3ÂxŸ’¾K¼#,Ñóä» ®\x3¶ÂZÄvÆKÖòk\y;ºÌZDçoÖ•Âp.j3ñ!Åk ¡/Û}&Ñx«cX|¢_‡vµ/}Ú¦ÔxÙè=d‹÷ÉC>äîî’>‚¡¤3q_åúè¡'ÕorÑ¼”jé5ll¼xcP^¤WOHnÎÈ‰Y¼¢ˆ]r¯/–ÐÛ/‘Ç:”VŠçÛ&TÏiK¨öiáwvÖAjyÜw»ƒçq¸Ëš§ÊµárüÿÏã ³]`áßÑŽ¤ðû3/íV»ÀÂ_BP6Û€ªÖ‰DeäUªH‚Àv¿ªVpÞ$!<¸ñ—_œ®¶‚sA
žÕ
 XF$eäUHê@$övÜf
}t®Ö¿=gZ T6ÏÅ=Lž5ÀÀ
 X¶’yÓw«š± uòê«:³
 Xxl!rÇm6j,7=bK‡¶®KoDI¼,2éàE!ñrL¿+÷•±"ež¾ÔtÜ¯ûÃÒ’ËuaX/õÎü´(ùÉóI¸nÛtð4üÑ'ùîin_òù¾„Ã}uM‹çå^|ìñBÀP,¼›‹Á	º‰XdŸ¬]FÞ¼¶Ž¹ð¥²v=uáá¦ò6jaZB“™&µº¤¢Ïbš¯Â¸71
å‘7cSB{^p/ÁÇ<$\};¸ÌUBºƒ‡N®fÆ‹æ1†iŸúewJ&íü»yä	*RÀÝ;gÆ÷
ôDìr_I¦oÁ~Ù÷Ý±þÈ™hÊe…îÂ³þ’ Þn,½›gÀ'§qœvF&Õpñ-=TÛ¡~ãQb“zúŒcyÉ†>JhÉÙr#•¼æÛíjSˆÑJÀloñšL~P‡ÞÝ8ó Žu«Ü"!r)ÒQâv3ÀfV•;¾Òá
|<"ˆÿŸ¯þ	BLçöendstream
 Xendobj
 X17 0 obj
 X5692
 Xendobj
 X15 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R21 21 0 R
 X/R20 20 0 R
 X/R19 19 0 R
 X/R18 18 0 R
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 16 0 R
 X>>
 Xendobj
 X23 0 obj
 X<</Length 24 0 R/Filter /FlateDecode>>
 Xstream
 XxœÍ\ÛŽäÆ‘}Ÿ¯¨GPÓÌ{æ~˜ÑZ°XÃ–Ø‡ÕÂ`W±»©©.¶ŠUjõOí7nä5‚döômv!Ù°<32"2.'"²mØ¦õÿIÿÞÞ¾ûõÝ¯žåmo7?½ûóOÆ?øtõî¢mÚ–µVµjóiû.þ’m¬lœÞæcåæÓíŸ¶ãáÐoOÃxØ|óé—wþW®m¥6þWÒ4LÃï>íþ´íâá»Â9Ålø®iZ-ã+‡ñ„¯p#%cáÕ8Æã+wÇqÛ÷;òšº•þ5!cÒbÝááv<öïñ=©5c"ÐÔ6Ö¥÷îoúCÿ[,¤Ã?œ·þµ¦Tc[ »¹`ÌoÞþ_cÚ2®mm£l"ÿ~ØïÉ‚ÂiîÂ;¶1.Ñ?õ‡]þ
 X,ÔÊÀÎ©2éÈF`=üþÞ4Z0gºíçþômùŠR‡·k,O´'ücN‡Û ³ð÷—ý~€O•¯èõŠ<ýD&d&Q²]"Qº]¼5|¹ÝÓM_^à¶5.òÞòF€0‘÷»îÔ•Õ8¼gƒÐA5>ÿ^Âÿšœ3:0Xª†[›u£ÔZÙ:ˆf¢4LI›†·v!iÿ

ÛÒ2	:£Ûßwå+-Ð%â9 0Üf! LpµÃŽóûd½k^£¬U‘Eºm¤¥êù÷ Sù&k…µ&
-’^ÇÛ"u`ªÁEÓ&™}¬j¹ÐOìÝ5ÜÕ7 ê*³j±(O–Y¬4gM’@¨’r.ÉhR”“å¼yEK²<WdyÁŒi¼!ófÛ2º56Hƒ·.ï§±"QxÅd±×%*oW•`a¢^XüÊ'¢€b¢Žr8ÙŽûé¼?‘·„pñp‚™Ì P
0žpÐ0a)AÃá%j”a2@×hGáÑ0ÏP‘I£
 XvºéNx¤U>`T?Ž=2ÀŸÀ(6ô9Ù¸#qÎ9¡Äü¸Wk3
 X+g«£:j[¬ã-‹/üÖí4°o.¢•ä²áYäèÜš9
 X´#û·ÑÿIŽˆ'C¦!(¯º-ooöˆçüå<67Ýázj6›ð?ÿ¤7^WY»¥{l7 þÁ·þú{w{·ï7<þ‚ºnþSå_xæóð‹žïîÆ©¯H|Úd” Ñ,8WZÚ™fÍOìQ FÉ£‹f`e²šôÓ©»ÜÓM?óñ4H8ÂY[>}÷wr¨J@N$¿Q	A$JÒY)yã"ðÌ¿÷ûñÞk~Vj¯•à¯Nï#3ùÈMîKrÅ|s!Tð=Sÿú_?mþ!ÒðŽ7 Â÷ïäæ?à¿€Fj‹o”¡{oñ‰æ`íøfÿîŸ †bk$
Å˜!âQZƒ`ì»ñp‚-’¸”¢½ãúåÉ«Öçt}®X°×dý¿ËÒV‚õðËèÜfØ¸ç]~ð†u÷¥¢ƒU?D‰ñ–†®
 XBLøácÖÊÿù¢lÁ¸hˆL“D¹¢È¤—;¢t°õÈDxþ?îXöÚ-×E
›¶,°º}ïËZÒ…Èò„	Ïx\!DB@çõà+È¥èÉŠ‡/o·"C\-²ûø!Àk&N
 X àe[U¹ˆ’MÙ„0Ô8u2Ê“—“Qç<’ÁŸÇùÿ¯£#æç†‹°ï—mYU9jk@½²ù€W9.æ'âUË×9ŽË‹?ÇÓ	Ó!ðùÉ×`:lÇ„M{v¿UžÊ“WPg{!@þ±¸ž¶ˆ\‡X0¤V_ƒë-„›^x]ËÉîší…‚üäuÔÙŽ¨?ßó	ß-x:óÒø¦ÊwiclìµÍó]ÕøŽ”'¯¢ ÊwBþCyÔ¼GÂwH±š¯âS¥@†ŸÊ³O³¿Rž¼†:÷‘ûÇâ~Ü"a¾²üåA\û6ïø*¢©s?R¼Š:÷‘ ó¥4÷‚iÝh/‡„€|1Ûõ¹É*×å
 X¾·F}öp„©@Q.•ÀOLÚu:Ã—bj3Ä™w×Ž}·½A´OH™bƒø%d¯Ã‘$ºF©„×Ýp•±†–ØÒìáÐÍrcÌè	<	=â´¬m,iÚr‚+žØ 2j5wHwÚ–à†à7âÖ~FRùYõ¿oû;Ä~s.åû®áÃjeðMKT8Íx»¢vê·e—OðÐ.PÕ‘‚ŒˆC2Ó8¾@”Ã+-Ì…Lˆ–+ìŽˆ6) (‚^°õ‚Å}øîßTªz
&C`ArËlÆà	û	ÀÍT+¢
 XÁ©à¸PaŸ2ÀÊ"è#Êêh‹8Xºd‹vý¾{ eŒX3œCH(AäÈÂi¼íoÆ{ÔYÕj¶/aûˆ†Ÿîûž‰
 X¢+t#³ìoÆ	lÁ¯}=*ècM^Î×`Z>Ø\L#Ýº*Ñ*
'Ú.õçjØŸú#EN[!lKLpð…"ôðP2)Û|^UpÈ¨ïÏGXùèKWßÞ*§£B)‹øùåxBK‡I‚§H‚ÌÎäL¬RFbC.#±áh#µJúT¬Íî8ÞÝQIka	².VÒ‹øÏ€àš»¼Ë6NÔ[ì+ÊFŽI¹V†™”€µ¶R;¢R’…s!-•ŠÔ‹R-O¹k˜Z+Ó3‹3þÅŒn‰ñrìÞˆTB1ÇJÊ$Zl@¿ŽI¹ÎŽZL(¦ü
2f™ËWÃ‘î [ÃWbUÖ)Æ–WÜŸCƒ³ò~
 Xk¬XÈ#5\X*$´Lgô|dÃ¤æ1ƒ¥cÊèÊŽÑÅ2Î±”{äL=AwÝ4fŸnŽãùú&@òQaš•öz(î#DÖ³]ãÇ~ßÿÖXmµm³ú24!ý~W+áp…œ{Ä/ëÊà`ê¥J†ªøÜSwÂ¬=Ïg‘_ñ8|_37”ùûqü\>ÁšVK}ì&ò
g•4©&@Üömxv¡R)Ó‚º1Z$Ù÷¤Ž	!pü©RîÎÔø’Ú²Ã:Ú,f‘Z“˜ã²Ëí.ÇßPšš6Ç[Ê”Hašf¥x+Ê’£ËüùOÝu7¾,`€\‡%3azPZ‘GZ Y•Uâ€YÅ‚©ã¡Ê¥˜ŒÖ¯~ëöçžpRÁ2›2é¸æÃúøÂ(Zb¯™·%™ðL÷é&¶Èk¥Eë1%N¾ì!në«"kkˆd¥hnH©M±\çÑ>t#º¼ôNä¶;m}™éò!òÈäí¸ëþæ=&U@‘ÿ!wÌ7ø¬*?±í“paÎIbØnD,Ö•¤
 X¼€OM¸JÈe"A†HœjŸÄò“’ •±ÉÜg °UšR8¹]•Œœò$¢<y! @‘LtÎéÀÍù¨™Pä€Y5Ï9ç!-BqŽkY%Šˆ¬´{2ñœu8AælõœS-í)Ü°@9Lÿšú_‹z[¢Lª+KItú×Råµ4‘Èüä¥D
 XÁÍ"M×ûO!‘‰Â…+!†ä]¶`œã,žPjÃá
J>ÈBû
 X+’_ž¼”|oUÙì@p%B;Àœüés_ÖõC®Ï$Ÿ<wuÁ—Å4O‚–Õ\´åtE ?!IK"¨LŸ&‹3r: ícl¡x28”@YD·}G\Ž&ÖŠ•ÈÌ$d.ˆ‚— e÷ÖñíÜ+š—ù‡pÐrPî£ñ9w–Ï¨b‘·ð§¯à&—¿‚—üúêå*ÂŒ³sè·ègÞd‰[!àpdˆ5ÐDñµ*Ez‰2A^Ð<ÿìTøŸµÄ÷HÈ…æª@tãÍ«¯}‚‚«æÒæü}jMõ‰™‰D_A¯Êªæœ{–¸ÄZ\‘".H›š/cøÏ—ÐM¬œ<Â8âIfŒ[ˆ ÈôÍ¤å“¼"m.±¼pyðÖ…‹ÄÊÂ†Tä%×òŠ¤yqº~
yAfø[äUHËÞLZ–W!Wå•.Þºp‘×<©ˆLE©!"cüMþ(¼J,‘ñW
 X¬–¼‘°,®B˜¨Š+/[¼mÙ"¬²ì³…¥×Âò´QµOÖÔž),ˆ)%eÉKe•èÊ|3]YV™®ºïŠ«–?¾uÕ"ª¼ê³%eÖ’js-0=ðE¯h0 LÂ”—
 X«–¼´ iªNÚ“ÑH[
 X—ñÁkH«F#HÚs£»’i"†ÈÔX÷U¢f™ÏàgÜS2EÒòƒ7“–eúiD¦UÿWH+ÞJZ‘i!ŒÊê\÷²±ÕÛ#g<þÃaÛ§nîG<!?'¥»’Ï€ñ$É›ÁÔUÌ½(ºòLð%;Ývû=)×"œ.dÓ’FðÃô“Ò-@^@?-GÃtîÏ'À7œ%Žíô3ÔWç·ÝÔO¡¥~êK7w˜çð
×—Vªxl)°ÿƒ/}Œ¿ûÈ¼OÇî0Ý§ð_6õcï7µ’‰
ÕCükŒ+¢>ÙeûÇÓæÖ·ý‡©–=ìÆû Íùn×úÊ÷9S~|aÇ·amhoà¸ìÉ8»\â?Ú
PÚp7\_?\\zîì`w_°Ûø¡ª¦²ÖEúîFÞY#C³w}¥c¿í?WÖî=o	Y–Êj[_ÂËÁ|îû»‹nKmNÃ-(òõ‹ŽWe)Æ¤KÕî½+®ó}µy€ÍÊf¶U6O!–šJ÷™ÖKÊ8mÁù²+ ûl
ÕZ±X¢O“ÄÎÈ9BÎT¦	ïñ²òq_>’Ûn6§acy4'%§é|[ëáX™ŸUa™$h\èÐÁÓNbµžH*Z¬Vhõ£9¬ÌÑ~
 XüH°Ô‡ùº`1›î™É´)©µäiÓ "!YnÙ(CHÝÝÝ~Øúâ©ßcÙ
 X²¬â# M	þŸ4CÊ#ì«ÃåÜ7€‹TÈsyG7ãýE9º52×}d˜$u2¯Š#m {¢-0.DÕ&C½ÀÀÒFq5ˆ"uxÃâ1¨Ö—MµþŽ³›Àâ6³¥m.Ê9.4ˆÔê9¹¶ÀáfÎ`©døV¬ü¡ñJÞŠ™?\¨ÐÑÖ´¡lV5*—–zR)’§BjeTvtï÷ýîšLúÁGY,zkÝ?žÖ’´žÁª‰’ƒé--?¤ÊyìIGTk@K	¾Ô×‰3Ë%Hé‹½A•¾7œ*MH´lVÿ.KkÐÎºY+ÆpcMk–“6n·ç#VÂ5WÊæ âDY÷²ßvç©R?„]Êeý0žUà[ê$‘Îm8ÕÔâ‚AXcg“»aWµ'ºá+ýKËcéèzw<¤ØL4]cã‰zàÔŠ••ðÎ®f?à6GÅÅ’éÚ2»|§ÌWÞÔ-¾P†_	/z
 XÂ0<KÇ:DYÃHçËqI›t
 XÊÐ)v“™DÚü1Vô’áõ@%’ñª}3<l5ÏYßŒ5N·¹ùªÄ+ç5è¨ËT?¨™ñ¿^
ØVŒ†ðÓŽk£‘m¤kxAµuÀSnRßC •z}$
 XŽ0ØHGû´æ=HËŽœ¥yë”]ñãš„öýòÛ÷fzÁK¤lG‡†¾Ö-sÁ|[œ¡
‡T¸²"ëàŸÈ¸èÂ©Šs
	VHœÇr÷p5Êƒ¸€Ëµ9bŠµë¦Ï»ãè›ÂèœÉhä¥Âž¢éÇº;’÷Œs©ƒ$´™™ú¯Ÿ¾ÿvÎþ›sabŸÝ¼™	´eßw;È“ÆMm0ö}HþÒD,ó€Ad|÷+µ¾§WqàC(Ã|Ã$Š*ýÊ£²7
|?Á>¥ƒù¯Î”I#ÏA‘‚òäUÌÐ#	ÁŸ*¸U>íë•,÷|¯›Þ½ùßŽÇc?Ý‡ dì5‰m^±#èýW
Í^r\ø.=¤ißòì9žŸ¥ó`éë€ãáK&$5ÏÂ£fÒT>¢êò“·SçdD)Ô±¹&(Ê–øÇ7¯*¯¶‘5)êê;°mwC¸éiP%ÍÈóÛVÎvà“8Kµ[ÅYâ>"‚·úK&ôðŽiùI¼jW,æÆ¬-î 8¦ëc]C¯Âð·àÐiÿ'A,Uzx†õþü½Tzþ`í¶–écXB/
Y‡%¤5LËÅ5½Ýe¯®¦ÒE#åƒ>=‹íàßJÄtö÷&ôÓÔ‡ýz
 X®!HbÑ}Ù‡+Ârrw‘Æ°’Ü]d8‹¡¸y„%ïo†}ÿm% Ó	•ÀòèœÌ.j¡‚8G£€ën_DÜBG|ÎC¹%ä|‡A»Nù«Àë¡P2§j³)¸]Æ×b&™nÉHž»Ýaëm
ù`>¬‹dÏ·ãW:(Ák˜ZÓkà¡xìN%roü×GÓ°ëÇ¨¸Œ>Ò¹¥ÀI›DB¹|*W´ƒ—eˆ·Å×&2BÂK‰¹Ú#Äì~ŸzGmé€õ?û”ÈÀu±Šýáz8ô+›†µÀyá†·í"ÌÁ™Ê5Y’XÊ÷;ªN)Çûiüè]ÉŸz¢ æå– °Ó@¿’ DqIf²Î]£S.ãI!l|£ÌuI\g>×…3´µðnqõUoM:éÕ[åTú¿G…Â\ûqšª×òPãúã¡¶½–äóý‘¥™'É™"^mSF)Î{šË-Ê55hm°Rä+ù§.ŸšcÎi“qÝ’[úûµÚWnµšk?ÎÈP_™d*§„W2Å)A¤˜ÌÍ,šoWö6³Þ³;´ŠÃ¼$ÇUz7(²YÎ†c×OÛãpIÜ©!ql8¯ÍN¬KHÔr“©2àyèG]„x¨JDv´v+©§
ëÌ=Þ¨·¼cœë¸ŠO„d– ûöxÞÝ¾²oð"åáäV83R@¤©§YiŽ(6.Š£~Xó.bÌ¬¢¥3„]æ,{ÜïjZº²‡_°Ñ®j¢Ét$„9š¹ïHÜ¨æ&y‹i‡pë¹ì´‰e"0¾ªóU¾Êö%¾A¡oÁ”]ÁÅñTÕ6EåüH‘û}R1óÕ 3¼¬ƒ/béjGZÉfåyüâHæ†*
 XFb=ûÙíüme¨©V±<èR¦…ü{â–†²s‘×gæ'în‡Ã0A6_i´Â&>ùÂô™¯Ïy}8KÔÓ.ÃN”ÂîÆ{_K!“–äÂH^"»ñP²”ç±«Mq4pŽ—ûÒúûÙÍ ½TŽ
 X£éÄMçÆµzq5y«BÝ£Ñ*¹z`2ÓN£ÕåP»ï†HÓÆ$?Cí}Eaã†Ù]†Ž'—'pÞ•L²|2• VßS^û©ÏU4Z©„Ã—g}•Ä
ÎSµ’@ðkâ…çð5iPÇpº™ŸÎ.²ÌžÐ±Vg‹¼(åfòÙWFZÕ¡"±¢Bµ€På€AÍì¥¨÷*÷?:÷¶_ÔBØŒYZÏEI¨’¢øæˆdF§‹:¼Yuf6^jŠÁ©ßDË«ÃyÏÊàÀ 
 X¾<?‡¬³æ<‚5W-É\‘e¥œÎ·w¥Ì!à(ð£åä(Û8+ä’#ÈxY&‘Gí²LƒûùU™äÞÞèº¹()”m*E	ð<VÊ•Þ@:êóÏc=®SGX8ô(`0N‚ÜÇ_‹ƒ0‡ë‡Q¥2éÚ0x63`s€¢pmn˜ŒéƒxoÕ§»q¼êw?Ñ"ß$–Ð"º…áïìÔ¡øðÉ·¹.1OÝ2£ý·~®!!¿
 X«‘@¿
ÂM]ñÞ^ÅÏÞŽ»~i P1`æmÚÑì	Í³®\á*U<z ]émŽ1ÞÝ8ˆí†hÃ$˜Åb¹é¶ÛU‘šnH1Â7„ÕÂMÓZ—ÃM+ðVŠÀºL‹ð—gø2ùìF}@Aî*à`ÙD¾«@†2*i¶¸~ ¢ðÃŠï‘uóæ¯–×Û¿ÈmÔ{ümvñ8vç@^]º4HwN’–b¶’Áu‡‡àfÞWÒÊ=h+‘X‘YL·ÎÃ&îùasoMŒËÁ¦h;Dd|Ž¿¦ømºÏû]ì¬ƒzÙM±Í_ˆ;=¯EŒ¯'ó)G?U7h ›Ò`ùX6Lrôõ•ŒV†÷Ëµi7«Ð‚F§Ü'Ö’»…°‚ÞÑ
 X¹Üšœé0ïópØÍÆêÄAæªçEÈr=8ƒI]éì]¥dò^¾ÕÁ– ô¦ûm $èy„%“®j€Kš0?Ç]° ?H/	ÞtMèÙM×Üº|^ÉíÃa»?ïHå·U¬µ:XøØ÷.ˆm˜Ù¯RZ•<e†·BdJ^êÚ2ñ%^ÊÄÅXÞÇKÐ˜*E/IÁ+¢(_ö7+AùAœ¥HWö¦¼,Fž¬õ&<ðMcãÕx¼ïŽ»¾æ¸¥Ä&®å@}¹GÀ‡5¼¤ŽÓD"xíEN¿1ª¹R·s¨ŽýãÝÿu{Óendstream
 Xendobj
 X24 0 obj
 X6356
 Xendobj
 X22 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R21 21 0 R
 X/R20 20 0 R
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 23 0 R
 X>>
 Xendobj
 X26 0 obj
 X<</Length 27 0 R/Filter /FlateDecode>>
 Xstream
 Xxœí\ÛŽäFr}Ÿ¯(?„¦òžI½ÍÈ–10¼Þ•ØiØUìizªŠbÕ´z
Ô‘ÌKD’Y=’¼+Ë€%@—)^2ãr"âD$YÃ7Ìÿÿ½=¼úáÕ>ÿYú×ö°y{ûê‹o¬ÿƒÛûW7¬aÜ¥Åævû*ÜÈá7×H³±¼m¬S›ÛÃgç‡Óxyÿ°ùüöß_ù[cv¾EÊ¦åîºÝÁE}¾@ríÂ3UÓ2.¸öçþ”®aŠ1É´¿Hˆ†[.ÚŽ»¾É×hÍ´›/Q
S.\r‹/bF*ÛÎ/rà&½è4ó%Ü0
O×Ø6®ö±›¦¼\-•œ/hg ãCøy‘2ÆXAÛHÝ¶m¸b<®rÃ
o„ÛÜpÞÀrˆXüƒ˜”Â2™“ö</g¼Þ&ç·	Ùð$Ý.ý…<HµpwŒi”ˆîŽ»õ’¸iÚv¡£ðá¸×ï¼'ã%S¿ñ1Dz’5’/¥WŠÇËïºl¸h´p•…X%¤ÒÓnŠo¼œáp®˜o›¤ðY8
^ÔJáT/²2^õíˆW)L°Ù¸6^ÐìOÏtYÊòy]B7:ÙÖxzêN»~÷÷ßÃf9*ƒö?Þ æÛVs6©t#@e¸Éáø>ÜQG˜üÖÇnû¡'Rm9+—Üã‡	} GÊ6–Ÿô?R3ÓZµñF&[|÷Gtb¥dRœJ+ùºpbP3:¾®f˜!ónÞÑê¸ŠŽ¨S9épæäZ§þ|êŽÓ
±UiÛ$>ÖG]ì0LÓ0ÿ!_mÀæ²°gºá3¦ÁÅ²É—10Ñ&È8õo›BsröagâEwûqûaÈjËU”ƒâ…Ö&"rÙÂ#pŠô¨é²Eh•†µáeœzKw®ˆ Ï9*ÒènnÖˆmlÚÑíWY«`VÆW˜äôDÖðD'Ô1ÔT½ 7Ûî¸yèŽï›Ÿ$qÕäw+¦
×Kÿk÷¡_ÃàM.¸ÐÆª76] ñ4wã€¶•a²M»ïñ!\ÁïóCtã‘4\ðø8žÎ—ãp~&W¶mSZe@iJéOÂ‚7~ÝÝ]¦¾â+¶a	&:…Œmmô·¤—C·ßW-C:>€	ÿ»*Ÿð8‚oÜí):š¶#‹¢É"~S¬5ED
 X/$"2g´!±¦MŽ¿ëÑŠ¸ÑNÛŒê
 X6Œ‚¹Ž=Æ°y«ló)Ê?ô§šèxÃ\wd=Ö'1<n=…Ã©?î
 XhœË‘`}Q~ áa;ŒÔƒp,äJ4.í¬;wÅÐŠ>ÊãÂÄ½Ø3E«§UJ’ 0æ$Æ;Ü8Ü.c˜I2ÝvÛ?žQ~(éšhÆeÃ“„}ïÖ{†œ#§yÓòÛNQîtEYK×•0#¹Ï@’ÊÈ‘šÛ¨Ž$‚7_ýËï¦µ>$Z2Q€I*íîº`‘×6‘ðýEE(µÖl–µqïFÌÁ÷2ïì§áªÎ¸
 X9xZ=…Õá8†¿V $Ù&Ë.óSÐqÈ=!ù£ãåx®Y‚ÏÿÓƒº’lä•³Æ9f¿Ç¨)!Ì¨uÐ,”Qµ¢È;²,/
¡ªù®ßÄü0+òùlÂXóîM§â-þ/R#p¡1ˆúèHOhíÐš´˜mG`–f×ˆH ‘gtL0‘DÍ–¹@’ðÀûnÿìöÝé@¬ÿÛ‚$9'öóîˆ+Uš·Ëý}ìOÝþu!a|Q,·žz|’µº5)rÉ¦þ|N àŸ$$è:j!!ÅXÙ®VVHµÞgMÈòÁêyRåq|€¤2Š 7¶(- Î™ÎÃùrîkX© Ùc5¬.TÌ®Œ(íöuÎÓ „š`h¶á	/‡(±¹x	”q4#(8
 X y=ü›Z`Çy$•ˆ&?Î…$Ñ- ËÑU· YðZ0ë}ƒÉ›O€ñ•}Ã‚EËèBP?›¨~Ð+ª†7Så…Þ’\uhjÎÌ¥ÌŠ¥õ?v‡Ç}ÿ%š,è#€aoº@Z9U„
°Ua“õØŒd9\3©Ür9:FƒJUj\.Ë÷Ï¸©\i‚yÈF³_Ôœ4#„›Éš¶P.»TNæà7‡þ!æås`vfƒvý¾{&€4€ˆÎ4	°ÒPà§œË_4B5HÊnÝ*‘,@ÎYó¢–©P*`á2å‰R™Õ«uKs0¦° ÆÇhA¦š‹æËc
C1I§ŠQœ(×ˆ”\ƒŠ›e°?õÝžøÔ€Ù€l2D¼c¿=ChÝÄøe‰,2Õša#§B©¶Ãø±ß‘÷‚ý[Í¤M2|ê«ùŸ’f)¡H«çÕ>Ž¨EVûgj|2ä‘ÎWÊ”¶)ÐÄ2¥´´J•R%:-¿’ÓÍª…:Æñ%ð¾ 2r´e/‰ÐU‹$‘¬ÅŽÂºN¬I¢ ÉãÎsVdÈ$Ï4˜ªŒ®cLcuQÀÍùF¾RF#‚”)>©¥„T|w—óÚð¡$_±Ê!6†›t‰bTz¤Ä ÆÍ˜_
 Xg™ Rø8"<ÊH“å<t«,,X$ºYDA»#Íã¸H¹©NøÙßßƒ?ÖÀÃÌÔûu*•°–2ùãÓ÷
 X÷#´e.*
 X	ßi"@lO`)8Ð<;×y-n%¤Ù5ö±RæGÌQ=%(¡ˆTp¤–þÆàì™Š+ë5Ëzµ}l;h„Î²í@*]2§î}³$üR‡°“Ã¦…zÔ&ç[„KÌ¨¦.h¼,f0ˆÌQ1·®˜ð&s×ÁgÃ.˜ñ¡>µtSÐOýiª¬¢†Nx0çoØAÆAÇÓK‰\mËá2i‹‹„¹hxŠLÝ4]µìG`ªUTëhå$v8 „uÎ-C gH‰ ±C=ÂEµ7 ¢ežà™¥ëÄÌ’£xƒÆiÈ’"]ØZN¹ÞÝW‹a0BÃÂÛ5Q} Q|d=Ò¼®4>ÏkGŽ¬/W1Ýé4|$v®üþb
æ2oT“¡ø¨t qC"ƒ¿QÊb°±™õT†Óótî_Vø|!Õ*ÏlGn
 XRåßÖ`€UKðŠIVNö}wÚ?¯‘r×V¢ ëeÍ–=îÛèæ¤lòYq4–ß˜ÉXò–a"†n9œQM§cF|>CaTòšT¿@Ì°5Í¯È™ðŠ„(!2Ät—$DWø~%áû£‰E>Ý¢Çy˜úCOé+	¡5DI“nÀŒ‰Àvã±ßÜ=oü
 X ü4¹É_fžyÇ‹æxëûs©	œÉmGêÈl`')#O‘ÂÃvÙUð¢pŽw¼å¡D¢zî«8 —´á¢5hÂ43V>UO<óGRÉ}÷~mê,GM´tî<¿KL‰°&©âh{¬Ú'Lok9uíd
 X`˜6à	nr4ë1¼×a]NSòg(Âµ
 X4Ýê·¯+»€Xc_’•¶ú"Vb#·4hÁAo’Ž“Ažúm?|Ä"	žÃç…%4iae<€6[cÑg I0Ú@, Ú‘ÌA;¸Ö`³™<"‰Øj€
 X}Nú':e@ {[d¯SÿÃ¥?nûÍñr¸!~[™W‰¹l†‡ÛjýNJ\¿—©á¶ ÈþøÔÂƒttí\lï‡¾–…“a‚¡VP0ÔõO¬fDvýv 5¡bÛÜ“¥ô<Wª)ñf)‰ÌVJ©R&kM„×,óQ‹¹g•)²J.e}%ÎD-—Âì–”¸JëH»ƒ7&!Æ;Åq„Š˜Üx¢F¦1 Ó¾ƒàL®ìr×CT8ÇŸØÄ‰Ðát{%g0œŸ3@8T‚…ÕÝ~|¢CdÞH“Æ%Ç¸1yÞH$·}$AÒËÂù—•;G "áZ£²äEÇ4âž.5pòÌ	èb(¨*$Hç¬©œr¸ÏdgiÀL¤½“)€‚¹¨Qv$œÓL¹#$J´É†,’1sÐ©Žô´hhèÏÅ¸
6 +Åƒ¯0®ÌUÓâ¡Pu]Ž@0Tl´È}i´Ö•QCZØjœ\DÊ0óPGØ°ñxî†ãÔPëJ8æf“˜¯ûÃx®µJ×u¥²·„¼^‡~‡ƒ{”³+ã¸¡.«èÝz`½BÔš¢4SE‘xLZ64OY´lÀo	‰/å„ž†óCÍö„#±]qYŒG@‚Þ•É¥š4\¡°83,8,(Ö Ý‰€T×òZ]/g‚8 [P9×&bUS1R¥]ìÄyâ2-z®}‰âq
–CäS1	ƒå’Ï*»ð‡+îVÑæ!Ê<ú%È
 X°mùùø:çì3’PX~ñÙxCº l!œÇŽ"kÜ‘væÄáo=èw'Ÿ¨xÐAÙ{}xP1,¬
 Xƒ´s®ìaÒR[ôy(çû0vÊÛŽ`Zà
yDžóó—-‹Ä§‚1gë¬ƒâk&(—²§¹wG3q/°Bt/ S&–£8o+©Ö\±Id3mè©:i®$[Þ#)ŸNGòVµF™Õ“’—Â8”m.NƒÑæÚp[úØ•¼¼ÁgžLKÿnz½™~üþsæ•ŒS·”mûþ³Cß‹§õ¯¬
kxùFÊ{æœ¡-æøQaŒ,rP®mMšËÉ	8ÒéL3å*Ì¶<Þâ¢¼%Ùe:K“l
 XL›`±°ýLbÅÂeÐŽ4[%}Ž6d§dÈ‘dtÇbx{è>ÒÝ1
ÕM¦3ˆûâ†¤] á6(CDÉ•:AŽ×œÛhT²qéeoûóSOÚ„è÷ÞÔvG‹qB »ÑM½¥\œjõ
ÆÐCpgfCæ‰…¡,`b¶)ºÔõÎø	»0™•~¤Ð¶”`*Œ,%©1å$Q)ÚYô}Ž”þ×kïr>Õ¤°t¯PL[æ°Û‚§šƒ,î?å)Õ–iJ Þl+x"dKvž!ÍJ.;g…¦$Hffæÿ.Ç›×ï[:,¢5WaÆ-
 X÷PÆÌ¥Ê&dÓfîÚÏÞ
ŠìrìdÒhÅsÌÊÍd(¨vÀù»™X<™AC9Í1Â©9Àí=1nÏ WÈŽˆ†¿øF0ÁábZeçîõ,—ÿ*é,f¸u+Û9t?‡Ë!¾êÍ†PPPÕ¦¡—°¹Ï4ë%mÅÇœI‚ðtˆ(NÏ%9¢Ï¦
 Ópïq‘ô÷åD(áEq¦Ö[b.!*„S3Ú“È)wü}ú]
 XŸ5‡½Ís)^”W$ à¹‚ç«ŠÜbDr,Å6oÿäòÃŠr²HuëÕ)/–äC?¦›‹X±Óävâ@Bb\€ðÕXÚü¡¶ùüòËúîâé•»é!qµ1·KF³,´ŸÒ«»ÃÊeø¹¯ÞÒÆÎ9tµKfU™FA`‰O³ÞÀ¶#ûZk$½úªNâ»Ÿ+&éš0—Ï²IÏ‡Àƒ=àþÏ?Ö~'‚Ý-Þ4[Ÿ²xþ¢ÅßpÂO”ý”Á§¶éÿØâ9±xÿ2AIz ŽÝÄqaíD6°þj~4'o“8û•Œê´mI®=Î”Véƒ,C •á~·4KÝ¦£Wž‚IË™-Ã4&÷	×ï“XÑöÕÅ:b%åRŠŸW7k(Êy£õ?‡äÒ¬a;&ëg/Óß®7w£â¼¤ç ¼k¿°§d¾}RI–Ú•}¦<aÞ©_	O7Å/}ÖfC)ÜAñ Ø¼K6,àÚ@Ä3
÷mkýØ‹öì˜Ê‡Ïþ#o)ß¢@š¹ðøÏU$%ý…ðìò<ˆJûCá±]@½'b«kOÉú¡Ž&ÅŽŒˆ‘< ÖæyŽõ«‹¸’;)UÂ
å»7 ™VæC§áýÃÙÛm¦a×oRáåKiÅ¢iÆ|£R£ñ>´[ }þÓ3£þÁOüÜýJðûÓxØ”	V¯æS½9ÿô|OÈùž7sñüÖ§,ó½Á+º-æm-çá}Þù	Ïó&wºàio°%,Œ!?.“ÆËDz’e~ÆâÕü ¸ý9pŸ®ÿûÁ½Ÿºpü'á=}].uÄw/â=_"ÓÏÆ{ŠïïuŠ0Ä—/!~†Èš¯#¾yñ_¯þwß¯Ì0Æ×xÿõÏÇ{	%µïúã½t¡Wþïƒ8EòS¼L¼â¼_Ï6ñýgkÔqL£Ù’;ÞU’fpúÂ±¯ ‰©\ÂçëúÏZóyNÅÇ+ òÜÅ¹+Ò=ÖHÔÖ‰–Ì‡-hˆ z1QŽ3Ðc@wd žÐ½V\¡®é*ÞP’&Nfr–O‘£™8Í,Dîˆ”ÃÌ~
 XˆG|æV/¾ï<k2ùÀÚ¿ÎÃNÊX2{AH“óeV
/Vtt‹¯kã.Å¹fDÔýéK:…€Ôºâ8ãJzìÒ«C/äôýgïºï?ÿ²63A?BšKžŽZ<äö«?VÏÉ	‰É§<j§ç<ê,?èÃÎÍ~ÔÇ[Â÷)½žŠÊ³oŽ‘ŽO£Ñã)lç^@üµ?‘Þ„?u#RûM—‡ï_×6'ÒÜ×Û1^Ú49Çs‹ƒNøq‘<Y™[º3“¾n\Ì”Åä)í™,7
/ä3iÓx³\(jKš	ÙUûÓ4àÎ¸·²Ð˜ äöy8±Hl"ã§9ê–Û†ÙO žï0Ú¤~js8Ï3jCÕ’^âXØ±pÑŸ…£]Òþñ4ÞU“åIV”±fáQ b„¸¥·¿#g§pÐsýQ‡),”ó¡;?å…ü!Õ'‡Ûðä§f8yz9ž‡}E<gˆ*ú‚Õ§zfÎSÐYÐöÇñxã}§:H¤Dž:&sD`Ò’¥ôÜ$æ~7RÖžk…Õ©i|]ñ,:}Q÷,æìÒ¸BO$©$Ì]$–£']¤÷È÷›ªƒv<÷ÍqÎ®°™ù8Jæ7jßwªô¡ñ3Ošlú¬m1^Ž¶ã¸ñ{2>ª
0fFø@‚WÔåcfê?áŒ'i{zîT'uÑ ~_L–ÉC2Og€!Ô$:†¤¤F =Gû@fbÉÄl3LW¯
´Åi(zðŸÍ_@À¯Æ,¿À|C)¤§ö§jèsqÖ’Ž:8ÌžÊQœwäì•® ³ã?è(@N“‡ j‘IK^SšÊ±q<À¦æXDt©[óI6_šƒ+}ä…Â`ŽÖ$qÌh¨Zt¯ågnäXÍÝá|J¼m•4éC5¬Äòï¾ùú+ÛÊ×à…ã¡rÿ’I`ªWÇ¿‡Hu›æ¿YÂÚ·ßþ#ØN›"<0·É‘yLË~z¡«ˆbS]&8¯Cç} °¢cù8³BFƒ$¥Æ‹VEÏÌsgÝþ©{&Ë“'Q¤ÆÌèÅA‚•ÓASÚÏ'“%lù¡¬eEBªçåì¸“,üÉÉ`T _` ]o(“²5‹´=@$H|"_FÈ<X~V†C¹¨5f¹ÅÙ€ïþùÏ$®a
cæÃAQïéYˆ i=yÜÁ	û—
 X¤‚Ûd)¦ÒÀ
—3
2¡¬:}°Es}êê³|>ŽºÊ0_9PIÏûÞÓëÐÏ)99Õ`"¡(ŸBgÎ–UƒßªÑä‚d×ûý²æzê‹$'E9Ž2“¢øi@2{mšß¬$®’T`?ýëÊ+¨o1‹õSDbù
 XHüZî¿ŒLP.>±÷BƒÂ÷àÙcÕ©o6ßŽ3K=ÏìÓá€aºÒÔ–rþÆío®©ý«öøþŸôý“¾²]5&~Ë´/—ª
~›h_Xu‰öå"|d‘Ò¾x‹Q®íË}:*UÚýµÀ‚º§ê$ã«¾j
 X_Í"¯T,2m›‚H×ó1Ø»™¿¬{<pq_r´%{ejÂ4‘éß–Ëö’mÉü‹
L2Èsnp½^/Ÿ=GYoóä¾~’Õñ{½Å>M—ÏOîx÷Ò+sÎï˜eýO·›?½úÓ«ÿ‰±vendstream
 Xendobj
 X27 0 obj
 X6142
 Xendobj
 X25 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R20 20 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 26 0 R
 X>>
 Xendobj
 X29 0 obj
 X<</Length 30 0 R/Filter /FlateDecode>>
 Xstream
 Xxœí\ÛŽÉ‘}×WðMX]ÎûÅo²á„]`×v~ÑK5YR×ŠMölõ
 X?Áÿ³ß²‘÷Èª,vKCÇÍ<Ì ™U•—ˆ'"2‚ttEÜ¿ñ¿ë»?½øiEýßÒÖw«ß_¿øíŸµûÃõû¤#Dbäêzý"<GWFtV4¡`bu}÷êúv<®~¸þ¯W0žR¥˜Î¨¯Ù¼z¸¿yãð#S6"Œ¹Ù?ì6~Œ{‰2”)?ÄtVÄ!ãv›ßBÌø1Ôvš™0æþ0|v§2Œ+ü|¸èˆŒºïÇq÷¡Œ²ÖrÉ§Ãöïó„˜!Úú±Ž§9oúSŸGB´ÿÐÕº³”®(í¨rO·CG¬ D„
•çñS‡a= ÞõÌ•Ôø9™Ž˜¸ÀÍ¸i
wi‡ìö§ü5"µ¡VN‡Œ»ÓP¶›HÎm˜<ì7!qÐi_–¯tØJ:“g<ŒŸ†®|Ê	‰{(Ò|ßäß
!
 Xv.¼N/ÅúãçK¹"V…]TÞRmb_ÆI.ü|¼Š³¸¨csg@NEœÌÍv_+ëVLJã•«.ÅÍ°îŽCS8T'Ò×Šp#â¤)ïHúýTi…‚Š(¬yí^æûÃçr’H?iÁŠh<öÇ<@+ç¥ÌvD	´AG,>T(¥tü"•qR7Ÿçò
 X“Š%A¦IÒEÒÂW6Q›2Ø%Çèø™rP îÉpèI°ŠÒXF¹ßYÝ1Í³ï†¹DÀQ+•ç‰>² ‡êÎ$Ý‘&ik5õ{a<fùwÃcã# ºYþ±À•íBÁzmœž	Gcàø´BG•¥€ ¥œ…}ã²	(÷[¤Þ/h¥î´MRþa·?ÍýçY½O]K|a:aÈÛ]^(¦–ñ÷ôóº?óµÃPÕÎ”Ð"J
 XMBp<>ÜÝŸÆý®VKõ[€\V(Ùƒ> fR…wÂêI’¬Çq·Ù?–A€Ùâº×ýa3 0€§	Ã
’÷»S?î*C @TTPA]@w¿0ò0“49Ü~}N-ÇòÔ2' +Ê«zÙ†ÊªdœãJ³Á¸“‰gË»„<‡ýîÃëùé,Ow‚M Âj	›,lN!:–Ö´îwhQJÙ(&	p†þ8nËK@Z9	bï…7!nÀAêM²d0Àõ›þþ4)KÓZM1Œ?‰‡—c?÷Û~N½Ú!A:-Yc‹¨µdfD_Ò—-¸-ÐD[4“J‡„œ Ùòþ„ùþ0ö'4 (Â,(Ñîáîá6^¼£vf¼(×ÒÈ):xy>¾nJ´éT&H‡Ö ÷ ³\Ó ú`pTÒg¯ƒëSû4DAëê4 CxPÑtì@û6ûöÂI¡lháˆ°Ít;?';Å2xlÊÄŸhg2Dfþ6
 X”‡F3˜Éjüˆß†íSÎ†·ã]“Ò˜Þ7'{en¦v6
ÊxàÂx@/l9[)ÂD˜D:Õï6ãætÛDJYð¹ß!ûÅ”QÁ²ÀQ£x‹Å¢«œÕnwå€(óxBà1gÝ¼Ýšs@§t*˜‚”p’8»H"{Û}A[–‰šùú×(°¼ÔFÕ•‰”½}.Ÿ~Æp°ÏJÆ7 â{|OýÍÉ4òL›¾´Ý?bÞœ@'=”hXÿi•‘FÃ»æÑ½°E–àÙèebs»?""{0yY÷ß´¬zµ@PÈÂ\)òÊ¢\Åi ÷ˆçiP2šÌ´.g
 X³!+<±rTc‘‡ì4BÁ”lËk´°3<;%²}6*·Š%C¦Ó9,Ú 6’%"èÁð?ìÀ©Ùí·Ãæ˜+·Š®(76%,Ö?to÷‡ÓïŠA›E Ç«+Ø6ã¤fâ†üöÏŒD/ÝËè-‰×"üÂ:¬pü#< Ñx83”äÈc7#—À?µ´	¶Ò9~ UÂµDßÿ;}ÎÄ‡¥Ø@w¸;\·WÀá”Y+q«u þÕ}
4/áÕ:N®¼ýø±ý2š¦> g”X>yú„´ÌD-sîešŠßxUõ8ÿ8€é×áÜDwó ‰T«>Í†ã/ë¸q?W|FnoÂ©)ué÷óÅ]	ãgte½=yÞŠÐ"ž^a˜L:/ã3š“Ü±zâM‘t“$—ÁØàgÅ€ øgåâ.ê"	ð§Tw¯þ'¯&?Ð‘é×ßjµ¨>»\,´¶Ç#2¼´Ÿ)‡~žàf½¤IhXKê¡@ýì€ñ: …ÇS'$ï^Í§iMŸŽ"€Ï}uDŽN>ñÃ (Ó‘Ž^QË;¨~
=<ñïûýGÄÙÊ^€–
@Ó{&ÅiªH–”‚ÒH]X:!°Ôã§¾v!¯¼kDêÊ§hÇI‹>¦%þR¢¤ À&D°KÔ0G˜_Žuè‘Øh#ŒEöáý~V=ÛÆ}À³}.,Ðgk’ß)Óç†Ÿ&Û6BÊð2Ð‡äÌ¼{õöÝsâŸÓuð¬2ÁŒstßŸU¸fQ™OývÜ4
º”9(PÞaÀÕ£‘Ÿ“ÃK˜PÝEoe
ÇžÎûÃþnå6D¤Ž«ûý¸;@>Ãc·º¾}8.ZSp†•Ÿ@ž%<@-K‚õ›¹:ëÎñ+‹PnÑGÆè± nÓ7¯þþLcœÆ·q"™m´Éhôë3Åùe¦XÛcü»63ÆôŒ1“±“úocŽi’
Ä!ØYsœ—Õ2 ÇP.w4Ç0QmV.z·Ñöq4lŽË3†—XÁ³Ì±
æÔ§iíq&£ö8kÈÇ¹úû`@z>@QÒqO¾F=§L9o¨	g/æô\wX5õÈ«¬ SeM‹B!5ÞMX²Ÿ Ý|LËÉC'omœ/&±‰)&Þáö4H¢Ë,Þ;iÝ¯ç“,ïæ!>ˆ†ÓÖº¹dÑÕÕhä>3üï9°uÖÖ	Ÿ÷|ô¥s	k¹ÏÀZZ9YßkÏ#mžÊs‘6ÁH‡2°_
 Xmç®ÏÀÖ²A}p›ƒkÄ—½ˆà‹·`kB62p)ë%‰K’¼“â‘©ÅõÈÛüõ~¯tŸeW°p/¢ÀàM ùßR¾–yd)úåõá²Ì£:Å¹6d+}Á@Às¹Ç·cOOzªÂö+TX…åàkºôéeâÀTœ“òê¢“gâX>ÏèG;@iÊ2¹TMå¤ÿæ¬öjÂ~Òz/é»ö~×Þ_·ö.ú
:ÄÀ˜P>iÓö)Ø2ÀY1Šþ‚ÔÂæ0™¯-E¹íyùræ¬Ý)
 X6Ä.ÅÞ	Psð¬Ð’¾œ½×¬ì{w2!ö>K
 XÒØøg>ÓãlõÕ
 XŸÍ3hœƒ»'d¼¡`©÷mQ`Ôå?O·Ç×«õþî&\.y÷j|÷ÃÊýÿÿÛ
 XJ‘¯Jð^û‰>•àñ’…ÆË˜Òóüœïé¯´— HŠ9Yð¹
#.çâ€ûáÐÝÅD%Îz8æ	g9¢pž#]çHÒÝHNÖò«Áó(Ò¯ÛÝO,çòŠ@«(ïW9û‚”ßø‹¤Út¶3OéïÙLç"ERÁàSwåv)²úåIÙÎ‚BQÎƒZfHOÜøb†D£)”3ËøRüÈ¥-)h3ZÐ×D7çÑ–¥è¦¹xt…sH¸(µñYÍg}nŸqã)°>ÎŸÝÄ_ž”ügÙ}ZÙùgÞùçS§Vg!±íW;þYˆ7us“R„Ð9àýø„… éïDjJü]ùK1î.6x-ó—~IÆÂ’Ïb,î¦ì“Q§ ™§s¾iù®Å?C‹gÄEý
 XˆË%Õx‰·85ÏU	åÞp)ÞÂm[ØÒN-³–Ëgd…»`ÄÝz@;/ÆZÕ^ýòr¾eFÅt=ÉY\*	?p6ª~¦¦“/L£:‘æ"+<@O¼ÍB’‡q·Ei•oÏMÁtVÏar—Þùën.Tˆ¢:×·ÍkÚŒæ‹çõ-mTâj&å~óÛÊîúÍåMíWøRVr\âê'¤@ºy€Y*&ÃéÐïŽwãñˆ/ˆQØ£ÃB¹òvor¥*M0×(1æ¯ÿù·VÅI¸4”Â°F™f¸ç„¶\ÑwÅ,]ŒÏÕ[îæt.*ÂôÑ5;TZQJŠ(-[¨¤Hhi¢Ý G•Žýö0ô›RžbÜýô°‰0ªTåº²½
®¦ãÌˆXº%Í¤@é/{t
1/à*ß±uM1WÔ¶«	©êRÕNUEèHÈyÁ@¿>=ô[|¡U£Öª’˜pšž
 X¾Ã¿jÔ9ÈrO±Ô9”_¼Ž(¯¥Â7|ªTãÍ‹|›5yù>>XŽ¤xXß6%5×oaIE¥îC³Ò¢ý¨J5ÕÝ†cÁ	jƒeÝ0Üîs)ª^¬˜±Í°í?ã²5çETÜWq ê¿‡CUÊ€ÄáöŠj<ãÎ›(¼®ôÎDdüË¸[·ª8sF}×€ ¤‹±ÔÒt¡yw÷°×åžiT
 Xgþ‹µj¦.~$>ì»ý§v5)µè›`ÿÀŸO7F3Éy÷jë8<ŽÇoˆD\û"²Ücà_Nõ·T”Ûž“úÛ¢7L·+®ªÚ°¬æŸø²—Ë
 X>Uò²«Ê ‚Þû"åŠòt¹Âî4D“R!6u¹£`X²Ý´(¼ÖqXÜTÅ+m
 XÒX«Ó³m!H=ºøËÓÑkâÅú<ìvÇcªKMŒÐÑ7ÇÀy)L=Wy:Ö*ý;FÛŒä©\FÂÃm6ð¨ƒC®„ÙI¦ÂâÔÊÇÔ¢n›V7Àõ Ò²X–‹„ýøph”ÆãÇi|Èvžh-H€á8[E…h1ŸúíÃÐP]PæO4ì°;¬ÃhBÂ»´Õ„&J‡%lÚ¹¡Èašó¤‘¦WEÇ¢¨r!:j+DO$^¡”ˆ·úcKÿ1Iºí?µÊG/Hs3`ˆÈ¥±W.ýíL6÷[‡¾hñÜm¸ŒèfFz1ÝFÔ±$a×›q¹è” ™à‘bBAßïýaƒtÑ4lôXŽ¨•M‚YR·°(T°[
 X-á@L®å‡cÍšª$Ër&0÷NÇ•ç¯±AàbâK] ûjåô)ú‘ü.•Êðâm ç„‡²÷q€—í«PÑð&Tó]•©
 X.Cùƒ«áSÞÿtSØ|î€šçî…{iR¦7ª<<ñŸ^h0:3ÊÊçjLÀltàÛ:8Ëœ–ŠÔÈœÃ³cg0ÆsMr[õM§3#˜è~®gÊ]¿¥YDNÞØö$&.à†4DÕP#ŽŠ«U…ÒõðZ¥y*6â¨ÀQªÜö9y¹Ñ‘wm(á©)OV`¼‹ÊÚ(î¼Ä'«{KRs{ƒHâ*dª
 XäÌ1ÊöjânWç–øn0ˆq¢á¾$©}“(;³Ø¿)\@™8·¡°¥ý–‰bT‹"áTeÛ…3“³"›~ð"E“éä¸ƒ.ÅÒ@±#¦>Ë$-oŠžP	– 4v•¿òæÿÖpáM¹/Aö©ƒl–rkæ£á,q¹µ3¥6uîÉ-]Þ¼ž‹&®kO·ÝC8º‹A6vÏ…µmA’f¿ì_¿lŸ÷'Ì†—ãLÙü”O#K˜æ<]âŸà:*¥ö•Ô+¯;NáF'}uóyõ¦YKiiÆçTcÂH¬Š«ûM"ó4œuîs¸&TòjÏèú %òpß¤¢+Œ/Äðñÿƒ:ƒŽGüø—Ÿ}õÀ¥až»®j)__h=úôúA<¸/¹>Rë‘‹Ù].øâ}V.twîòÐ¼0kZ™©Ð¶,*ò•1^çPÐw5þ®ÆÏRã³‰¸oÄdžŠ‹§ö%õ¤ÃÌ²N™‹+1sešæÂZ<Oîhêk©®ÎµK˜ç—ü†¡'òKyÛvþ‰=Õo¡"už¢û˜0Î?5;¬¢(üE¯Ú¬-äŸ˜ÏbÔ’iþ‰ù&BÁ#Ÿ¶XÕLÄ^8®ûƒ•…fo–š¬šâ2íß×L‘Æ8Ò¬'Pí—ÇæÛžjÙŠú6-ä¯J¯ÚºíBélä¼¼ Þë3aâœ^Y›ó!¢Òûè¦j„P‚œhŠqZðŠíRŒ'±b”!uj¥%jµÔ©Õ¶leóli±”üË^x»G«õÑ…T—¾Ü¤U fgº´¢f€Í.´H_Õ¥pÇÐ‡0þÂ<ÚÅ >0<$(OûÕÍ°w>DÔÍ·{ekQöç<ÓÇ²„n=l$tm[8Oæ²íd£hì¢Ÿ˜Á¦v²s‹JQÚ©T}Ø´aŠÉ^ø]Êà[",V”‰Òý04kCÙWX´Ò)uƒ`1ÿÒ¥Ó7Æ´Ñ‡N•úã‡Û¢’¥#ìqŠjûÏsù¦Ò¤æò[ÂN[:ºß J¿ÐînqøX«…ŠÛ› ,»´ócâªD:Î“n¹ó“s¢ÕAU1¤+w×VY[òÂB‹â«Ê˜Úú”æ0&ç™P‚I&-]lð’áx™Ìùê„Q~Å¨éœ"R'Ê:_£ 3îÿWÄã†‹’—Saâ}Ô3t±DŒžDLbûÎÍºÊá¹`:’r	%í_NÅ¿EvRRûûˆäf@·p
 XŸ†êÚ	_å±k éO¨“–:wµu2[ÛÜ7óÎ–¦í¸#$JìƒA[|–”¾ÿhntE%ók,›Qw*¹} ×K( È9	–"ö%K†•µ±®´l~K"Mw$Æ”eii„	ŒåI(Ý]”¤‡ûÜr²N–Á’2.<·3wPžØ5/èý¸=¥Ã¯eßÇÔduQåt;4rr8’Ý2Yºg ‹é”Ô
Ô‘&1B}“ñ1hÀº´7S´C¼Ô5`N$gîpòç%ªì)g6ÝHž`à…)eˆH9«Ls~Çæ™ûT.ü^¶±°H=Ÿr\·ßnËþ ¡KšúT¥a²hå-„ÆÍ&€i´ÁÎ:UL” ß¢VÞŒ'«ç‚Ý)\ÛoûÃ]ë01·¨Z»R×ÿ2©]¦1Ç”}³ýÜh>í.Ä´šù¢.ó¾éu³ù§“º˜J“’ÕØ6‚|”EZ³r[h³oœNœ•9”y¾V3dãFÁ7ÅâuÉpêí›b’6r%Þ–Ú…Ll:²÷Æð‡³¹7é¯Wzñ§ÿc|z!endstream
 Xendobj
 X30 0 obj
 X5509
 Xendobj
 X28 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R20 20 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 29 0 R
 X>>
 Xendobj
 X32 0 obj
 X<</Length 33 0 R/Filter /FlateDecode>>
 Xstream
 XxœÝ[YÝFv~×¯à[lX—®}±Ÿ$;Fƒñdì†5ƒ‘!°ï¥ÔŒîÒºäÕÃ¿*0§öC²nÛ“I€$2`µš¬ªSgýÎBÒÒ†¸ÿâßÛÃ“wOÞ5Ôÿ.ýµ=4ÏoŸ|ùƒv¿¸}ý„´„P)•5ÍíöIXH#Z«Mm«hnŸ½è›Ãðæ~jÎý¾ûØL÷}ÓÝÞ÷Íù²ï›»OÍØ}Žo¾úüößÜ–Lb¥ÛQ·¬Ù0Ùì>ëÜ_þÀH<~/Sm-ÑîeÛ
 XÎmà·Tpk…[òa‰F+·†X·‚i·¤Áï*4hà^é|·œCˆpOE+” 4<ÿ˜3‘9œZøãÞÛpÖ8kCYË)so?¤Ý·Zë°ñW(§ñV2þ½¤•MÝCmãã·¿±]—´[žÖÇÕSZM¥5Ú?•Žà´z\ïÎ[bÕ|ï9iqëãúàaÓj±;™¦{Ý¹Ç"<¿ù„hÕÊ!)Ø…çÏÖwÙØo[IÄï¼ºÃo_0P@W4D³#IÅ ’ã‚ïŠf›¤§È'Ø°Zêþ4T©Ö0Ñ(ËZÊ•3°_òeòÆœf†ÝÁL½“ÑR-[n ìÊ[víV¶à´[¬kX¨cyÊH«ydð)Ë˜ÄÍÒIÆg¤4ÊøåkZÛo„‚	uÛ·ýÔ¤w™±Šùw9i¹‰”lOÇ©Žc~M¹]•M·’Fyßí‡]z‡2Ctð¢¥6¾²ë¦®I„ƒ±Œñx1™òò³n»=wàÎòy’ƒŠ1EœŽ›M§ü…óõwù·7ÒVaÃáåçMwÜ5ðü˜$2\aÃ4¼mÚÀç—Â
ˆ6~W
 X×T‘Àn?ž*”³f,2l8æŒp&ážDùý™I
çÑû£C¶ÝØ?-üÖRS•Ò$²+R¡\°`Y¼M2	Q#_îä‰eª‰Ø7QþI$’j@›“®ÝíOpÔ®œ$µ•,°[qwKÄïËñØoûqìÎÃþSÙSSï%m5‰‡¸ïEe„žÝÌ´2)ŸS™=lWvbœ©°7Åž}ó‡*Le2²Ë6y™îÜã‹u‚;÷›ŠÙ€ˆ¼¯*wÜöÃûÈÛÀnÒf§b,8=.½®SUâáéuyCR.£G	.¼qÞõç¶¼%¨Ñ€º¤}¾»œœ§s Ñš"m	Ò)LÝ÷YŒ\*|1ÐÄ’r>œû±?nûíÞºœ‡(¬ˆW˜»xšìùšWà-“ªæ„%Á)€`¬ˆ¼/Ž®±Gz@ŒáÚøÝ¢C¦sßoß"ïQøÀmá+æƒ…C•ŽJŸÆU³rí#FºÙ¥l¢µ°Q]4ó„uSÓí÷O›÷Ãö¾Û?ž¦&YÉ§v-=’ÓÐÝg7Çqê»]–,ƒ€ LÔî.ºL	Q”ê"a™\ïðúuîH'%@6Å£!ñd’púÔùö’Hš %:}è$Àr•ˆ"KÛÞŸ@ŠæR Ù1@@H6ùÍå¼)†mŒ’2ò Pµ|frŽôý§§û¾>í÷§NÆ¯‡`‡w§Ëqœt¬
çþw"a°7þ›HÐ©£¿ÿ?‡„ÿ!aÖ²VJqì2Î227ÊHWÐøy
ðròøÿ5
 X®[BDPÎåÕ¡q0£4þìHÌÁ±¡Q²a_Ì$KbÂ1!qú‹µ…èœ‘Åœ	×bÉFÀaÒp. ð6°Ü8›òRÙ„ðBª³M‘tíÄÃ¬øc&1¿&™ð³GŸþåXûÍ£OÿðèÓ>½yôé÷>ýöÑ§ª?ÍâzQá^¡D:,³5”,€öµZáD'š,H—[%g7sV$£Í“üôØù>8àÝBš°PkŒƒ4	6HÚýí£t‰˜òêˆä:vÓåÜíK®Z
 X;Ü[ûîøæÒ½é¿BS©¶oEÚíÙ¡qÂpÐ2…qÀÃI.x´[Å£y•!¢Ô…hËÒ‹±ôSæƒw°˜È2úcpˆb1ÓQ	Ú
n0Q=²`‚GÛ·ÇÓ‡}¿{Ók¤ˆ3+Ù)RžÑ1}$‰¢×çÓsicR™SJ®!LKQµ„›Ï›L(ILà
 Xq÷Ý´ânÈ!1s—)•TQNSå.n‘s/bEœ}Í³>M,ìb‚2Ô|[ªðÄÂ?>û¨Æ‹›ï¿ýÓ‹UUÃG `¤%¬Œd¢BµÔ:]ä´Rº
 X¨Iz)ež…²–&²§V%/.["²aŒ3–³¬ñ9™r”Ô³-[ÀŸ‘gT—¼¥¨šK[ÉYÕ|fŽÇ¤l1¾0ö1uõ×J©¤‹)õ¹û´¾3åÎwïAŠóeÞýzØO)ûó©P'£!g}‹‹	™uˆŒ+œÓ¾ô8çœÑdA×ÆW¶9g0_·–2¤°×9—’•*ç˜G$+Îq*MxAG8·v€D“Ba-7vÈ?×IqzÎ˜6ÆÄKgo³=]ÎcIAŠê3ÓföŸßR)ƒd	dž_¹¤º +×Å®Ü±Àþâº´y«ÒÅ®H;—[®Hd˜v¸ &eš$w¨<T5XOõÂ™§†8GÓ!$)÷ó§M…o²”ß–B”(é»(¡%GlVIÄrb.(h¥Œ‰¨Ò0o"…ýà}Û]\kÈž}\¥L»ý„Þ÷ýùéã~äþ·ž¬¸frqá®!Ó‘‹ºÎ¸w¥Åý§Šîo¨´Øä¯.`¢n m+kÂt
 X† M›
 X†‡îãp¸äpãþhÎìz8ãp·/"+%€72¨RâY*†,P¬ªÌÉim¹®j%+ŠbÒí7ÿZ,R!j¾6A—ÃqwúPªË\ˆX	Rm‰ý¾Ô&_¦p›ùËÏ€_òòs\wW’ªJYI\Ý¼f¤Æ;•x¿KÖ•‚QJI½”Ú¬GÛÑÑn‹àA')‰£ÉýÝaÁS-l¶/§µ¸ØðùÜ§A×°„muÑ¥nªù'p—É+K¡Õ6e+eå€8Úˆ+CYòý™Å†}É
 X€T-–ŽÒ¹‚*|2Ë"¾g!<Å•÷‰¥ü¶)üN òÞ`3¨ðÌ1`f+ ™‹nˆ°ÈeRpDÃ¸˜=Igí‡·Ù@JiðÉº´	ºC¹M¥•r»í}ß=TjÌàRõ³/™WÉd*Ø¤{pƒˆÃ¢,LÒæn¿¯Ø;
 XZ3'ªJ]êÍt>]÷)|m'Î*”H¦—,ýC*çúØ&ˆŽ>•-Ž¥M†È5®.²\Ì9B½¤vìß]f
 X¼^Hí½Sáàñr¸ÃÑ”smƒÌpá7jÏÐHs¥Y²V˜Œo;…’6–êQÛæt7öç÷Ý4œJüÈA”FÃPÑDHÊ¸ºÂñâ‡tv‡k¯8¡dôË°z¡×ð4A¯
 X¹Ö©ÍB³e¡.´4¡$gËeöç¾Û•®ŒÕŠ0_¥óo{Ôíš91ˆ9¹ë2sb3Öå8]8Dd—é†H)²|Þäf¥J%¿ì¾OgÔ|C®å+D>
 Xk=0FÆb¨h“ãŠ×®ÂBPäeo~iÍúÉé3:Æ£ÁÂj%MÙsn4Ý¢;sÿbiÃóF:pCa0wÕfÁè¢`"ð94Õ;`)B
xK3Hñm®ºs¿¶$E¥[»d+Ó¬2N¤š8
\©f6$ÜÐšRnÃ•rE>u†½Þq‘‹1ªÔÂ6•;ƒjúJ$Æ¹¸d†Ð$%g¼v²ÝÞ¥QàÕ£Ãã%4º6&€e4E¼\˜Ý-¦
$«ÐžÄ¡Ì£òR^Èî£“ÛûZz‹ÝÐÛ#ÕHÏb¢çìt	PÂt±<Yj&)_ufÇé I`¸‚Ö6†0hé$wWúàu-Eà…TÐ|0@é~wý¾û„§	 ¦ŠT(u•ñ@q‘å®w½ÏåB¾§b{‡„ŽJPbâ+Ô®K%ò4”i’H¬x7‡‡}TáciÞWä8“,Ç<¿l!)ß_ùÖÙÙ8/ÛérîÇy;cJÉHXŒà·¾tîçÀ*C"¡É|à°¼€Ý¡ØD0ÀÍÀbÙ+ÞÍékfó L[Æìr³ËØï¾º–‚³ô¶+Gä„:?N”å®`ÓÄÓ›iû0‹ûæ—Ù
 XQYáÿ\^÷§óä~œÆWãüüõeån±òÚ* Ï1ëÕVÁc?_?Ñ›>çÜ$jÝEWË>:$¿ðú¯™3¯¦ÊûŒ_ R<”´–<õþå·¯wyÅÙ«)¸{Õw_»¯Ów}í¡ûè–ÿÞ¥E~)håãÂøµHâëUQÀº
}gäÖ\¢¿>ôÝÎ{0‡@_ÝD7F»¿ªx7‚æán®´æ0g¡×+Z!.Ó8ŒÍiÝã†µ1¦õ%$Ý†þZÒüš_ÑÄÐ5+‘xë&ÎüÂñt9ƒ¼üÐ¼º»v*±[9t×Óp)IY¿ >–_?Ö™ù¹rp©b¢ƒß+ßöÑº!ž¯››ÏÚƒm,€Ÿà-i£?¯uRP-CS³BæÉ5ú|ª,T#*ämÖV¶	/¼º³7ôG£2yÇ´dp¨ˆpêŠ×µ)øï—>B€-ã/JŠi7Ù‰JpsÓpÓLýå+˜)„éÅ$×øÐÂþ®¯¨Îø9´áuLqHÂAÿB¾´ÑÖs´ø‹‹ú-«Š¤÷TUœ«U¨^3W•tGê1áL°€¯Pæ³ë_Çjºˆ“Ü¿+]Ì“¡è˜Å µ‘\Ë82‹~íÔì!óÞq;ûQ4€{â@àUãÏþ ¸2ß¹bHALH‰ Î…Í&t_õÁvÍ|v¦†>b®(¦É5ËO5ùPO‡°4öïš/€	(—Tš("—*øºæææiÿ»ñÓÜ7?]7"yÅ«¦ˆ]!ŸSt“_¥ÝM†~Òmk™Z’
‹^ºTæiC_~Þ¼,ÅÒ›¿‹èè2ZX“
šuqîªTRÚD}lø¦*ì2k¯³¨ÍäÎ²H¹¤;Aýñ1ÓÐí‡÷Ö;VT2¥™³`QæS±iJ¾x*Y¯Š™3ÎV‘²ÔÜFžKAÿ¼´_ý˜WBÐþPkÙ¢áì4„4ÄšÅ!‡a·Û×Lä,QÄ• $}u£ü¤šJ?¹Ñ{Ïõ§¨þšçO¤*Ó=wå;*ò¸R)tŽýv@5sÆhü0„·	:Lç¾›x¤Ø
“4«”+{/{äðsÍ<°¬5xÉ<u0VýHQcÙÍ&5(ó&%´A6Ïu*Àçâë0WR¤Uù3iÊ¬þL¡dùL¶l™ã—àà¿µIŠyx „§†Š-ä**‡ŠÆè›E•Yf,Ú:Á¸Ðé¼U5ºø
”P¾üß
ç±öÅÒûyƒÃÍzÒ¾sUôx:öW¤Š7IÝ7.«òµ+
 OÑU¹
  ¾4©ð„Zÿ±;¸ØþÕš\°u¶ì¿.'¹Ë	¬€àX]'¯‹œ68‡m°>„bØ´E—ëÊðÆý¾¢3 êÜÇ^ 
 XÔ ¦hlª4w¬L¨
=Ÿ*ý5„]—¨ 
 X3®x&7J*;–J±pCE°”Â¡™/ç<V½ñ”Þ»‹x•v
7e¶· sÍlž‰¹Åê¹ëÊŸ®Í]*’Â#ä¦f\V¥µ€öTILÑL¡7Š‹cÂgO‹².€%‘¾tX9¸ì›pMP€…ú”elh¼”ï4Psu6W‡ºÜà3,5©‹˜{7¥D–]CþàL°2'³øà}dÅ}uUK/}-U:]}ì¢Ò‹EÎ®4~ñŒÞC7Žµò5ú¶—¯5`¥&ì &ûf?2ìëèó¢X$mE-°ÌÆ*Ÿ•!x!+Á±ÿ8Õ,}ÚyÕò!Zd_ûÆ p	ð—†®z«cŸË_5öpýZš…£3ÆK Zå.qü¹ŸÎÝq<e»¨Q´µ•î'§ªOúŠL.t‘gâ)6œg2	‰P²9â§Ž0Ÿú&wüœƒwÖÐ5pÄ—®C—÷pÔÙZnñóÓt_10}ÅDÝtJUäœ÷JE"Ð*‰á1ÍÃã‡nÚÞ£
 X¹†;óÔËVÓ½q™_ñ
 XÌÚ–ÑŽYÒ/¤7åâ”Æ‘	¥|ßL„ÜlsóSæ(¾¥\-EÛæ‡¹–Ä
 X%ð¹¸WÎ‰Ë¥/îSâ2÷ã´ÌÀÌÆiUü2Ò(Q>ËÅ aj0Ÿ,ÁH«šzÐõ¸Î»7ŠÎžÔÏ“üxP<ª9°F·³»ÝéØ/+»ÿ|ÛüùÉŸŸü'û ™«endstream
 Xendobj
 X33 0 obj
 X4879
 Xendobj
 X31 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R20 20 0 R
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 32 0 R
 X>>
 Xendobj
 X35 0 obj
 X<</Length 36 0 R/Filter /FlateDecode>>
 Xstream
 XxœÝ[ÙräFv}ï¯À›4¡.(÷L(Âòx&Ôá°li––c,‚$$T*T‘MÿÎ|Âü oî@¢Øêð“»za™y—sÏ]@jZû;ü¹?¼ûíÝouÿÿØª¼y÷õTØÿ¹¹·#5a‚"ª›ý;ÿ$Œ¨UiJk®ª›Ã—Õyúë]{nÿ‹üw}¾ûkw¼«þ¡úËŸ~¨¾ªèn~Y¼…T»¦–öïwË'íÇí‡éæÃmKfÏÈ7žIn?ÆáªÅ_ú#<8?#û‚þ1øËÏ_þôáû÷ôç?Ø7|ý£"‡WEˆQNXMµc¦n„{ÙwÝ©«ü ê

1^3©@I°d¸z3mà—qºÔuÃŒ_YÅ;Ñ4Z¹ŸóZ2Ý„-Èèê¾ømp«ß³¯ý)“ÄJ9îÚ„]Ãmí
 XØH3÷¼¬í	Ý‚ócZ@k˜\xn‡K7åûÁ)¸tJbMMLX5Þö¡µ!…}à¨BÑå>S÷[Iˆ;ªYÍàj;xUX”n%œ‡7ÆËÅÔRÍY‰û)£aa…n˜_qßwÃÝ”IÎl¦j–ãå·Ì®%ãKâµÜQŒ=ŠÓ…W$úÏïÓ&$öQoeñ¨Oíþ×î\g5À‰EãTÉj¡ÃNßç¬J®‚²±±žÛó¦‰ñ KRKk–åÊÿ¯ÙA7/éJ5µbâm{‡¡5£jó0X®‡F°-?5gs'p§åM#©	JÑ|ã™”TZ2Ö4ñÆ·VO Ùò¨PJi©ífù"·¯é<Jâ”Ií"ìÏ—vÈg6D»5€S,
 XÐJ¢d¤nâ¥‹ÖÉ¬×Ng¬ˆå½½íÁ‹ÔÜ,té„c×*8“á=ísW:,¯)®2bç>@àÓÞfû¦,ìF¢j
 XçÈ²=uý±?÷íÐÿhc<î»ê‹S×_TNbýTµÏm?´·CW' „yŒØA4€ƒs÷ª›ÇîXí‡®=
¯ï«ûñTY‰ºó©=N‡þ|†
¼„¾IR`?ÜßŸ×B	ôºé+–®YÓh(@ÏC·øè–ïÂz´Ç[;€™I!6Â—³Û†3M½pýÚø‘Žpÿ#ø	'D•“H»êÝ&‡¨?)"%ñr<ðÏ_~ðÑÝ	|Ÿ™ Ì®ÚC0p>{úO>ûß?ïì–çì’³ÌØ
 XˆJV1E×õ.À›ZG†ë†ûº@i—Á	`i-Á9ˆq–Ì€½Ã±Ž•E¹»î¾?‚Ñ¶SØ0uûs?+Q#0³²©¿ôÖ‰VH¶ÇEI(:aBøæ<DŸoÿøÏÙ¿`°4QÓp‡ö!í"¹àKé§LƒtùLÄi'A@zŽ‘jêÎ;OQ²ˆ™¤6šoJ°,I—WM1íÒJÎ
„åàUgqm-¼ÏH,rðN®úËeB0Ì¥0\DNC"OÓåÐÖ4@ÐÄ&˜ßÐRµ«ªT5‹"ØP%‚.¬J"Ô˜°‰ŒŠxi§‚¢Ð¬ )¥…æAxPU.Ù,>Û‹Û³WŽ“VQHõÒ@ötÎ`óß ›]Déö
 X‚FòcY³]Örë2x¶Wá “_ÇÎfŽ=Ô,¡ˆ¿¦TÚ¢H†|dÅíafþŽCo‚&»vèj·N_í¿ì{!Y=78ÿåÛÿËƒÔçŸþõ§ÂU0"x³¨
Šÿž“R¤ø ßÊŠÿ,iHVt;uõ o±æn
ÚaæùPè¥}Í¶©ˆd*Bf2Êa_&GÚcÕµSßªþð4t‡îxnìNVÝ“ëCªâé~Y÷qß=¹G`iwoaû¹^«nèÁß[ !	Á9DoÖ,œÕÕÝ¾ƒ§Nà+GHkÚ
 XòŽ¯áj…¼
?ùá¸Æ¥ ’€ùøà›<e &ê¾º÷…èÁo[ANkt„Ô”-Ü·ÃdoœX3RjO ;ó¾un¬!i‘Ú5`v>ê†©˜ìÛ|uDHuAñQ¢‰”ÉÈµ@æB1h¾«ÀN¯ß%JßmRô–BÝfYÙ(¿lÒÉ\	!ÎómÎŽ+!žY	ë:!d(ê2bcÅ"ÛÀé1èoxŽUÒ”òRmAæÄ«X[`uaTYÈ{ÄÂ‚w@!D4áˆ!Î\JÙì©ÉF¦Õ”Á´åMÞZXm3™l-Á+CZ‘ÜZ)¸)8§ó?çbÿ?2 YlÎ	È§g±ÎÜæïæ’z´¶5?ið»ÿè½”ÊåDˆADz¤lníóíDè³ù'$@ÜDãÞN@ÙïI~þcx
 X")t—*´×sY3ƒØJ
 XáÔ.Š©¿t‰QÖ õ²¡…´üTÝvûö2½QÊÕ¬¦)ƒ)‘¯Êlß£3ñ¶ô¤-Ö‘X¢ëû˜X\ŒG '‘¾fÊ–\üYæg˜å'äåb‚{èl˜S·êÓ9ægX&¹Æ.Éç‘JR)¥bRš&,Ío±ÎbWµà…Œ2SPF¤rà¯¥…R¿¢–q’ÕZÕà—cµ1)óÃT4×sn¸,j&mÓÑ•`Ñq|ÊÉ¯ÔÁ`»½{íƒMƒ„“’Oˆ_•H£²ñyhSÇU÷§ñà˜W †–ô.CkJOwR:W›ÕÿPéS)®C…5 U¹ÛÛ6ã»BpQ‘_´ÇvxŠL‰ë$X$x%NêÀ”"ÍÞ§Ðþ\\¶Pï	0sÅonä`@•åY¡ —ìÇãÑ—}òyR™â²ÂCwT- ZiEÝ¦Ìþ<èlw*V‡ Œ+gXûeñXž#1¸¦Hu	[±E¦gÓÃHÚ…14ÔlÉvV%òTˆéÜû¹íP‘„pÈ4•
 XJ£QàÀÚ/O5z“[q‡"	}7¾tV½Ç†"%s'ƒ{º—}ø·,kaý~Á‚þÜX†À‰pæÀMž»›Æ~7#™`c¡\ºOã4õ·ýÐŸ_¦$´#£3Sòå©i$¬Ü¥þþ¾Ìèý)×æ(áÆ¸ûsN±"d=qm$¬.¡ °=‘XALõÁCw7“,„rŒ’ºPã½y1Òß
ð¡—.RàüÖA–ýŠÜŸ¡p(kÐX)ió…PÜ
*w>PÍ±E&mFRè–,;áéµ°$c	6+›×½6ç^jóFÐ Äy)êUñ2¸Áq %ß$÷Fî›mÙ(xyˆTH"@—^Kpá:ƒ\ÂŒ%€¥¼aœ*ßizÎÝ¡Ðüã4%‰#VcÓ„„œ‰eŽ—Ç~ÿXBÛø‹¹$F`S1×LpŸÑÄ…éFDcKN—ã:S¯m^j¶@ƒµ¤úì©ÛaáJ#@È™toÇñŒÚ¢¸…È2â"ç‚®
 XÆÝÇ~:cÜ¶Šâ‘L¥zßÔMn¨	á¶‰Û»®˜Ñ£ÚÆV?²Qk$qÂ@dw{
 Xr‡H}}°>SÏê×Swzîî²Ë$>ÂYn—™ˆef1<n23©m&™TL›‘ê³ƒæSh<Žù(À¹B8ã5¾9ŒÇ‡…DhÂ˜ÍŠÑ,R)ç8ÈôÈwo”¯qb`Ÿ.ÁufÐo:j,µËs¡Rgbi‹(-Ø")i1mÒ\Iný´SŽÙµLó¾@¼šÌä7ú3¨ z.Û‚Ì¦;·
@âäJò“=òßSœyŠ<¶§>»âòà,©>ký©ÀN`C±6ˆ @U,Ø4Ñô .œÇBmâi¶¯Y"T“Æ…ËäñN×c¼N¼»´QÔ¨œX@¡ œ¸ë|'pàÜXË~—pÿ.#i„}‘—çèáŠ_Æ[™Õ	lKG”½yìÐDXš•Á±Œ!†%Rƒ1,J¤ò?†À
1„[¹nQ|ÂJf¹€”ƒe¼0‰ôë¥}-g?k*Þ¤½M¬qôO¿"ÉKå‡CA{/(>¥äŒ’ðR#$Bä·CLã—):YÉ€¡"ðàÑqƒ”âÏþxƒ‹â"à—§ÈiÊ8“ºíDt…SØ`Iî'sdD¢ÊÒÍ=™BîbòÅËÜSÔ
´@>‰Vc^
 Xû`e}
Ñ—-`¿4oˆ£—#E6€8EJŒ3à¥Š¯}k
g—ÌBéˆâæe88>5—p½&Ü/w.å®yÂÔ5‡=”ºgÓ¶Ã“mNÇ2Kf¾Å%0	Ò¬Œ6Çýp¹+)•¡‘.ÄZEøtBòÉW_T#$™SR‰Ï[y(–¢øû2^†Ò,Ó³hh	³Cù@sþùÆ	H¹Y§Znºä[–k¢%YwÆ–ÑRd„ÄÑrNO± Òf«b”sk•JÂµ5»cÕ¥EèRáŽÓ·ÇN†«LM£<¹™b}l/.Ô²AYX† ÷»®0ÛO‰$§¹ ùÒŸ“£±RóÌ¦
 Xlç‘e6Ær5`¤Š5§-ìÒ¥´Y\axq?fŸB79Ÿ¡Ñdn
©ÇÙuùWWãMÍiàÈFE#”i¤£Gî¦8§©±ÂM©*Eº-é,¦ù¼B6*öH•XôHBù:búMBe¦26 §ÑAQ!ÛmgsX_sk¬ñÐÈ]‘d˜\æA®ž¤fÙ}³ó
 X´MN:ƒÌ4™IŒÊ@	'žRNîÛaœ
 £ê§ì±©bâCÿ¼QõE"LE"±t,îˆ;åÁd´ÙÊ/nt;ÁÞíå\§´ôñMiF›ÌÂ\l„ë»hPpæ‘†:Fžå´-R-%E‹ån™‰bÍÌÁLfêÁéGT„2åÌ’Â¾8´ûƒu^Ó!s‘äsXÉÂò±¶ÊŠ2‚kß¤•2•Ñê¹/˜²iˆT,ÔlÒÔÚS{jNíÓc•¤ŠH¯¸n¨•,Ûö—¥Î‚iÃ¹è[Æí$5Ÿè_™ü¥BÍ S‰Ãâä}:zïg%3 LaAÝ °O”ç$}É™Œ
ä±Q}…QÅÌuæ")h¡þ|RŠ]Ä×ï$_}ÙôÔNSö”YŸ£8L“¿˜±ãbsx/”¡1;•¡sŒ½-–‹$³êG¦Ô\å…æ”ZØ6YÈ1Ù8´¿èžûr©s‚[bhôv3	‚{E´™ç@NÔRêuÀD¸xãQ“M#T¬W%‹ÝÇçîô0>ÌwøT®—¾´§RÈÍr ,}MVƒB•ÍùÍ÷œõ&3€Ÿ£öZ°oÔuÚ²nknÑ
 X’y/Ê×ð™‹{=³tº” æûFJÀrÙk^ÖJýƒ‚ô^Ç¡˜>02¥kÙC¢ˆ8y R°TGHc3>k(¼…å)@\ŒÈzÂoiïžÛã¹ÅF–³Ás›¥8Â0›Î_|$Ày¨k†u¢ÝùqÌH“Já"šWJ`7Qâ"(cÇ_v-ÇCùI·þ^t\ˆJ§âhæÇ»ñe}^‰Ð|†g¹‘˜›,(+©‰+vÜ}L=!
 XGÿ\²¢§¡ßCìh}	Õ	¢²M;à¨Ãøð€’•Žc8ü¾ëçy$*ªd£¸ÐË°Bþ=a\Ò`¡>WW9¢x=—j£€^4;p™æv‹…V‹nº;IOQ“fêmE}fxGÛ{
3(_ÿ¨*{µ0ÆmÆ’¦q™ãc6ñö_~˜ûÇñŒ)g]Ù›<&¾÷y>“p/\Ì¤#bn=*nž6˜=vísÑ£=•¶#èvØýPWv…Å0s“Ä!dazù2_ô;»;W?‡(ãn<v•ëÌ¶Õ<[£€°d5$oÛí“ýä£]Yÿé¦úáÝïþ ëendstream
 Xendobj
 X36 0 obj
 X4486
 Xendobj
 X34 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R20 20 0 R
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 35 0 R
 X>>
 Xendobj
 X38 0 obj
 X<</Length 39 0 R/Filter /FlateDecode>>
 Xstream
 XxœY[sÛ6~÷¯@_Ò$`ÜI“4³™Íìl§u4³³Sg<´Il$Ñ&i{ÓnÿûJ4g×‰ãH><÷ËwŽ¦ˆØ?þçbwr}rh÷^ø±Ø¡ç'§gTØwæ«“Á„	BCóÅ‰{’"%°–(§s‰æ»§¡²™½.›‹vq…ÛæbY´Å¯ä#n—f¿D¯Ð¾6Ûó§ðëÙëvsÑ˜ëógè;TÂËòêbköhölþ[Ç8‚fgD ùÒŠxèkUîg¯áŸ‹MÇEqÕj…~ø1+ósþ42^m‹uƒž ùß.>üë'`ÿðÎDŽ±ÿŸ  wï‚^Þ+‡CŒI–îô,÷…H–‘LÙÁB
 X4£gªSo¾1(0&DkÂ¸°”(…‚$šº\oÚžŠ‚<Õù“qÌ2éh6„ß’X>¹$¹¢ž$÷M¹4‚f\p/&cî÷eÓ?r’u‰H1Q^b5Õ™–NQÊ±bÂQÜ¬·Ÿ#
ÕZæy'…aJ<Í]‘hyæ¡Ö±Ž¤ZE
 XFsAt'ˆa™{]›+³(WŸËýº·¼—wAó*·“(g“Ä’{Fó·?GY\ëŒ*¯pürU|ÞVEt.ÉÀ·ºãÄ½k¡ÖífÔ,y€7k ljT¢,ø—dº£˜qÞI3ˆ•N£Å'Óâ.å-J¤Í71 1ÜË£h™çH|\íÌÝ¦h:JsÚÅBÌƒ–åjej³d¨R]à¹Â,¸zUW»c@‚R%Ž£%d®´	I^îË¶,¶åïE[VI6’\3îÒ18.ØR@g–®Ùa’˜¢Þ–¦Æ‰r”u²9…öë©Þ·GÞÔÂ¬õ¡C ³!9tg«ê“ç>¶À(bl×foê1´Ùé.)ŽS›$¸$¶u‰ ©D1†T*Ê:
 X
 X‰L»+·Û^;eîI´ð¡)¶Ûên$zgò¸ÖáB„ZÁkÚ¢	nëÈwº¤Ö ŽÊ}$ÊÀ?N'v:9UL4É¡b}Ùžäí©êO#<˜€^¨B&Ö"é…$©È	¥ôÀ˜ùiè–|–g>adH«EÑ$òDäÜå ô_ÏÞ½¥RˆïÑÙö»r
ºGÃü€:faºÝvÅ¿&˜‚Ã©–LÏIÀñ¢_Å&…Lp°¯¦yôVN°‰zŠÍ$Å«C{Äc<Ò3±(¬‰ Þ<ÄtŒï
 X ÈƒÌ_Y0ò ¯ðõ°®ÎàÀ"©«+;w ÙrÀ
 XätQ´,k³haÚ·Å'À€]o·5ã{)º*êb]WMlØ¶›ß:È /;;TŽ”ÐÚ‚í½ õ]¹¾‘ìúÉÜ!×F€™!ßc+x¤c:£0g[¥4@/ÇmW´‹ÛmU}jPÑ Ue»^ób´“Ü°ÕØÁ{¾©nê…ÇB,ênên.Šå²¶Ñó‰o¦ÆV^ÙÈÏ'#ñüÆIüø%eÔNðIÙ)¤T„%
(¼3ùÇÏq²å*X…Áß˜¶
HmÌ(åNuÆi±ÔZyÚ€IcƒZÛîns6"ÉŠïK!ÛqûH±ƒ á‘MqŒS‹ÿ¬¤3é)º4Kq²àÊÃ3D\šdâmƒà°4h<»(ú1–bv‰5LFÇœÈÆÆÀÀüPÓ¦Ø™ï{€Ÿ„È²Ã¤n=1ë¢^nMÓŒ!`Áû¡9
 X€aµ%Žë8äœYÜw Ï²œõƒe: (X„Àoq Úæ4€OQ 
ì@®è±w@îÍÂL‘ø½9f%†€<6µ‡^lgm®jhÇû¶9¶Bd˜Œ¬\Ö1fÖ-Á<0ëÑïmQ—Å%Ä8b/PÚåô„@¶ªê—B®0EGbÌ í+u¤ÌsSÆŽàé]j4t¹Ý&W)Ôad@ðåþÖ4m¹‡,ÑÃÍÃ.àr²{˜œÚaò4´IìJø†t5å-¬ ““fF5ïàåþ5æúž³ÏÃ@Œ?~Þœ:v„g'€º÷a®•Üa6«üð8õ5Ç¥o>¿$ Ï¯=
3‚%Ü6¦âoÖ¸Õ&¯?)@žÛWáá_ÚÝÃg.$íÒ´¦Þ•{Ÿ²)à~Kº7™8Lh¦BÁ]O´$‘šå¾éLì&<w·Œárb!m×ôÀQðwýÑßÊ¾(Ž§Ï¿<äÏÑ?nšÁð+@zuÓ®+À >{óöïPæ¶-z€ÞÅ–Jd~:š%1³Ã×Õ6ã_¦O‰&(ýË}5x¼~¼«ñøs˜	nwµ¨NŒgì?7f?iXRp¾˜È5žaÐBD6L³ÌM$Àî<Ì?s}Slã‹Iø›¡
 X³€ÅH/ÊB(áÏ24\îLŠ å½òPEÓÜìR”O,”ö#69“%rrœÓc9	&LälŠÛ±Ãx:$éå ¹¿ÒØC±GÕøqêº&°ðkäºæ.Oö˜Üù%ã-/M³¨ËËx\K”$"‡xi!’æÐIü$–8Ãß¾îˆ/ÃèÌEdAã*õê÷ÛÇ^Hlúf´]·óg®>G?×ÐJmÝw£ñv@;¤ï¯y}Pyn ¶iå¿<hrAüàè#ƒC>4ÎzWýå)Æ¹¿;
/u NšTÂÃì,Þ¼»á—+®¥;‰Šé?—X V	L¯çý•y_µciŸœtÓ´§Ê^Kò¤
–ß
 X>÷—ÕëÙŽÞ×0 W©ýµO„Sœ
øÀe®rVýžcÚ¤S_ãv“
 XNûÍŽ”¹
 X¦d(òpÀ¾òùàvÆ…d~èb]Ò.¤`Ä†clñ|ž=¦êXsâ¿ÝÈAÑüéÜt0M²bäV‹‘ï5y457‹ÇÕ-ê.ÌÝ•¥Ã/¶L.«›ý¶
 XÓ`ôfÛTÈÚeƒ
ón	›ïm±½1v@Ói>Ëæúvü‰Ìª +ü1 vþÔÕþàÇÙ‡y×^½}ûÉ+þ¯sôËÉ/'ÿÛ'CÔendstream
 Xendobj
 X39 0 obj
 X2324
 Xendobj
 X37 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R19 19 0 R
 X/R14 14 0 R
 X/R7 7 0 R
 X>>
 X>>
 X/Contents 38 0 R
 X>>
 Xendobj
 X41 0 obj
 X<</Length 42 0 R/Filter /FlateDecode>>
 Xstream
 Xxœ•YmoÜÆþ®_±@D²uÉ%—\(
 Xºn!MbçÈÁŠÜ;²âË™Kê¬ýï}ãË‘w–.@dñ†³3ÏÌ<3³r¹ò?ó3)/¾\|Ažzf$%úëúâæ£È'ëíÅÊu\?@ëäB¿å¡8p(A‘ï:1/ÊK4ùl.Yòˆîî»¹Ú\¡ÿê§WëU®ëúR‹VÔ	]ÐŽ5Ü¼A»¦eRM[£okê®JQÂ›–åzhêG^¡6Ù#Ñ‚˜@on†Î(W–¡6e-[ýØ¦ò*½}mÿ“7#	ˆºaè†±
\'V¾çDzaq¥RŠ¹±‹#¢Ð£ðk‚DR§¼?Õ
Á‘q lDØCýÔ«ñB`%Aœ8$Z"ý)Øu#¢§Näë¯+žp!XóÜK?cªlö
 XÎ)¹ž°NG$"^(¥pàDVªÍx3˜@Qm1v¬„à¼ì•„ÓÈ7Ä3C0@ V§xFÖ’þ	œþÖwëðúÝ¯ÃqRl@Ã±±!/÷/yÕ²6¯«—ª À‡ÄÖ%ÖöQh<òbÇµ
 XÞŽ-Ò0ÆŽ.<ÏœÞ0/tq ÃBé?½ûçà:€G¨Á†FFb[°Ý|`N€9øs|\‡X|>þ¶b…‘||ÏÒŸ·bÈ<Liè)c±?Êˆ®ôÈ„¬;V+ìy€7 ‘vƒ5¼‚³'>‡Ï cúð%—CÇó(Õ"O¬èF¥B)Å!6zÂÐ÷´T½¤£3;‡Êz‹ì9ÆVIV ÆA`Hœ¨OÎ‹´—ñ	”l|„®ë,Ù	Â6ãî«QÑcJ|zd¨è’Ìâû®Ø3<«‚
uê¹8Æ&#©CÁ—!#&ø5Ú7¼†CÒ™À €gž:šÎŽ(S)µ1šo0ß¯þEò:¨Ü\äLLÉéª×ä[ðÿí”z§¼zÝœYï‡
 XˆCH·RB0â±!ÒÞ±ÍmŸLŠduL‰n)>íã”Ô•ìCC%A	U˜@¼
÷tçù±Qcå‰Dl@‘†¦MD¾
v;ù>2ùä[
¬(®ÇŒ{xV©Bteï²}D÷	¨÷ÀVj>°œí3±C€¢Y£!5bkQUY5Êmx•ÄGýU#	R‚5ô‘Xcëªx^’FÔ¢®ç¨%ØiQ;É}
 XŒé`à%(3HÈxTe9)æ÷Ýé¡IG–YxQFÄàÔ÷u oQ#õ+„)¯þÓ¯ S+Ôf£@Œr7v¨u}”»ê´áE–™µÌ!ãÕBÇ%52ˆÓÀ	¾ŒûÔŸÐå0½øNlc½˜T#*<J)Ù©01ÄoûÇ¾|Pã»¦ÆÀ—>’¢.º–òj(Õ tÂhV«ª43CÄá°ÀDÜõ48
gƒÖ2jŽƒŸ%gU+gU`Ü'?Ð–ÀD›Ëº1¶)˜Ä`~(jˆOŠL^¦á	„1¦†PKöõCÀx€Õn§öÂ+‡äG~8~ÑJ~s ;!sÏ¼5EHàÀæò·÷þüÇûÍåvl(ºÖ]œüî»EmóÖ0(ƒq=í`—ölI%>¿=|þüäl#4L2ùÎ>Ù–Fý¿¤|›Wýë§ÏÐ/?Ýÿü·_>!ùé¾h}Q›‚ùÇ;´+QN¼p	´üp‡¦Jä:5ÑLú$<…õ4i`çK%z‡Ã$1¬å
:5èw¨ÛâTú×ÍÛ%a£ÑìŒ~0—Ã@Ç«„£ª+àÌ¤.÷¬ÉE]¡CÞf¨¬Ó®`ÍPÄˆžK<(ÃÐ0¼Øf%oóDM'AÙÕè÷Q|
g%r@Ø Á¼°Öò	2¿¸ÓJþT\,²º–ƒµ%…6Õ¿mØN:ÉÓo»èMÏ@)rÇÅ@F0_KU}Pã[Á« ƒ.üvföŠçúÛºe…9}°ô‰AœÓ6Ê9ðXË'ðrdVj¬Ú6u©žZPÂ)í2gž±§Áø¹n9ÊêÐhƒÔ†¦7Ï2ße„º¬á7 }¡<™2'¹a>‰Âü+KZhÒ\Á`4u×@:Ê*H¹hóJíŽ€WßBU‰Ù1èç(°€rÂFM>'N`KCÔà#Ún»œž?EÁ#óÔXy‚Í•£!ÝvR½sòŒÅô5 €$Woz+]P’‰Ÿâ’1‘)³¨|3»Ä¾nZŽþ„–ðxQÉ¡ÏÃ˜ZÕ-:À÷</d.ö¼E7ÔÜ¸%¼tÔÃ×•Ñ:ëÄ5RÓ“¥Yª|‘„EW.ÍW°Y^„Y¼rö«v¯Šhm˜Eç7'—{ÔíÞ£Ôj¡Rèé[räf¶½–ðôm´Ê)})Å¿îµý²g„äÍœ¼fÚ\ÞßßC‡JX%ãµÚ	žj¨—[ËÉmÓ~ÔÐ1"_Ð>Ü72Ø|¦cÏ]?öLd›{•%
 †‘u
  ˜hÇ—O¯½V‹ñ}œ¹$Sq_^NnÉ¾ÏU’5u•ÿ‡¾e‡ÑpŸ¨ŸyìÁºMãY¿^Ú TÄf+„ü„fM†½3¯RÎGó»Ka6×TÎ•fO0l5]ô…S«²Åö0º}Ÿè«(™ÝG¾¼„R=ÈÎ×PØÍ=Î
 Xƒ”¼Œ›ÞêMÚ¸«d¬^b?0OtûT²&Ì·@”U
 X
£:7›Âò³TÛ£-*DMÌgèàXýÌTÝIU·§;·´on‘ž7—j!˜ôrv}9Î¬Ò5+¯Œ^<L½×‘x+]ºžîNviY˜ª_Á(Z‘&}Ìíbc:å§2U¡®þh2¥·³£Æ7Lzûöåx©¿q¼_£.þ-þjendstream
 Xendobj
 X42 0 obj
 X2220
 Xendobj
 X40 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R14 14 0 R
 X/R7 7 0 R
 X>>
 X>>
 X/Contents 41 0 R
 X>>
 Xendobj
 X44 0 obj
 X<</Length 45 0 R/Filter /FlateDecode>>
 Xstream
 Xxœ\mÜÆ‘þ®_1m@¢Ù¯ìŽqÇ†…$vb/àNùÀáî2š®Éí	‡ü÷«~j²Gvç¤í%û¥ê©§žªfÛ°]ëþÿÜŸ^ýúê×óÿ–þØŸv¼{õÕOû‡»‡WmÓ¶R0#ôînÿ*ü"Û1®Éå®c¶éŒÜÝ¾¸{—üÿò4ì®Ï‡þ2ì¦ÿ·y8ûóe·\Ü¿~ìç±¿?Ëîe¼<ùãùašOýeœÎ»‡y:Å|óåÝ?ý:![!ÜÚÝÆ“9|±<ûËpØ=÷ûÃ¥qƒ¿ú‰É8ñ7ð‹\¶mËÝï½‘m#µÜ½ á¬yÃoïð¿y¸ìþcÇ¾vOÈ¿Æâël£ÚôÿÚ
ÇeØýO1W–On¿þÍ_øŽ¨üsÏï¿€?ßùu\¨%…3’ªÓ~‹ƒ³zÃÛ¦~§¾¯ó°Øý0¼ÄcØOØãÓóq8
ç‹ßûð`zòJµÊøýÃ§ÚFk?±;8¤tB¶emç·ÞjZV#Žýü8,—]Z\Ë•Ð_¡`NÃöÓéN}\òó³Þâ”l¸‰ã.O=y–´¶Ó~r`„VÊ0æ©?äI)!lÇãÏO™ò8
Ñ*?€7†ú÷¸,-ÛNw~€ló8õ‡çÑÁ<X 6©ã~&h£/OÃ9?
¦#_=ïÎâ|òŒçÇ¼~8Ñ0s
Û)ÓòÉ[™µº3ë™Öv†ãÍCD×ë7ŒÞ¤M<ËøˆsÊ'"â¼ôËö è¹ÁŒ”LÆõƒÕÂ™àúï§ëùÐÏŸp4Óªõk|ÿÅ»wïÞ™gÕºÃ“ñäÒÑîûóyºTLRmÏNJi:W°8`ÿ4ZbGZ)îwR˜&Ê»¿áH)‚1ïOmð¨ãe˜ÉC„ÕÜúÉÈFó8ãÃ4,ä<¬U,zS§½9áF¥•o¶¶åqýÚ»ÜÃõxü”××nt8žnúeN¯Ä Tü†wMûô0÷ÎæôÝ©.œ£4M2¨€dRiÑú…
 XÑH“vðwžéÀ(,TÛ†å…:PõvœWíKÙ8»ž<Œ˜‚Â}vË<[`ðŸŸUÀÐhU”Ò«à1"zÓqæ#.	!ê3ø[üùr}~žè›SbDù¦°lN÷xìÀ$³4iÀa:“!Rë€:p²]6íO[txÎ×w! l„óõÖ=ŒçþˆÓeR2n‹Î`Âq>x
Ö«“¥iÿ×Oß}Ãã¯Ñ*¹2ÂÆa	sÔÅÃ:!˜X‡Õð–ñ¦ p„-‹Æ•öçO/ý§÷_6d[XðA8“,øÝ¥æ¥pÄ,mlöÒ¡ØÊ«®™ 8‡Ç˜ˆ»"=¢G#s€á~l•ãiLžüÛi
 XP x#»•Sæ‡-Å-‡é¶÷4¨eéÝ_óÃ ôJÍ#¤ˆ„©#â©uPèÎf¼½Ö!…c
§ªd±4¢?Â-d€ƒƒÇÄß
®
"ÜmÍŽˆË“=è6¢µûËt!vó0ÌªhøiÌq8?'%¾jL—Lº·ž¨nÁæ”ÀežÖZ¡DO–Ö4™†u)LD™Ööò4îŸ¶	,B¥=ÄƒÌ8g5oùè8 ]ðÛ
F|8O/™`Ü@Í;˜Â¾Ÿ8›Ÿ§A*Ó¸w\˜hOÉ™x¦õJwš'æ¤ü Ü^çK Í*uzêë†CèÎý0œÉy2Ë6Œb×K?ˆƒ"KÑX[ðŠ4ŠÛ-i<®Œ±Œ‚3d¸iJKJƒîª‹p/üq+pnãw^ò‰q_] ŽMVS‹)p\Ù3‰SñVDá2ì>•Ø†jKªKçê1Ù¼5>Ù†Xð¥{cÅ6aµ-Ó[ã$îèÌÓTüÑ;›ÁÀ»¥Çb~ããåš¬µé¬TšR?Ï¹Uînå,Ü;
 XðÚ6)L|ï8ñaÜ@bá íó©úK_y]‹#è.¸#ûD^¶Ãé)…(wKJWÉ”n’KÞƒç
 X¿žyæ-MÚÄì  u'ØjÀ@@è:b(X‡IÐôÃ€!§œØjŠeáE2íÃUªÖ£åÆñp€à¹@#L²óÃp	zD%Cƒ Óš‚¾*¾g£«é—ach>@ì¦ 
iöddD`Ã¥
1”“é;1&úXME‘Ñcsô×·ÿùö›?¿)”HÕ÷¢®õ—w?üéÇ_6ò;T¡“¢}ã‚7äBâ®cHÒF‹I¨õB¡ '¸0ÀT2\`ë@\’Ju„çaÞàÝxHHÆ ž¥]#™2",_®Ñ¯V3¦âê4“c¿Ç£½˜Ö[î á¶u©:ŠNöà<%3qB8&Úš`ÐIpÖË;ÑE3QI„€¼ëz*¦É³h·«&´²à…Hç(²tÞpüˆýñ:l&ËU£¶´èõTá	#MÜ,¸@µrEØâNËÎCGSg+ƒ‚ýêóo¿À3I»{ÃµwpxœÆï“!=»MFsçó«Ç?8[µmŒHa¼ñÂ$ã/U„gøfk×ZÈAàQ6ÿÃ8=Žä¢`,çC¿™‹NnI>$r¾Ô£*Ó†
€l0³†OËeÈ>L¨&£ÌƒÆM’}@^•^sÕ!ÄÎ
 XY…ieTä›†ÒÉyº*Cø¼@áoCèñ¥ÂÑþÄ91ë"\XSU?ƒ˜([‘Ì?ÂrÐÏp›‹ìŒ$£î¤©rçVŸhÿy¸¼Ló‡ZLÌÅüƒ‘ËºªÒ„ÚŽöÓ1w·ÉL;ë‡à>1¬ü—icØÁÍÍÄ–*Áæ$‹†ƒœ”PzO“²×<©«n„Ä„¯RŸxòÍ®–@tçÁ[ó.TõC¢÷lôÃ|,€p™;U¥ìCå-Ù‰'¹/ã–gá)íÎi:Œ#Y¾èL'üƒ„“U“Ë&ê#Nˆè€q>%nÐùò„á,£jìp# óI aMa]™`hOå	©xÎÃÇ¸‰…‹HE8:²>ðj¥£”-|º«-®¾€UØš.,„ÅfÎoc«øôŒ—éz$nHó¤YoðiŸ?;t&ÒM|	PQÍäþ891¼–$J„ëÿß$‘l›$±B^œ>¶‘ªò!'™N)UeTäèÆ‹bmMÔÖá¢Žª;¯Ã¾uÞù”àÔï
>™ÁVv1êÃÃC‰íç+Qh²%Rv†–È\pVë 8\®Ïhe€°ñ¼dÞH@²é…ÖÎ£×@Íü®S6J0sþKI$ƒƒ¿Ùß8Ó¬¦}&óÏ G2ÿXˆ° œì·›©”Aþ1‘ÀÉ¥’,šb®ì/×>Õ@¢*
O
Ã ê'O:ŒË|}Î«\H)Ai|ô Ñédx].\æþáaÜã³ŒV]Y3¨û!+[™žWˆÆ¾OròŠ_AV kAâIƒŽ—“¹y J&Œà2ÕAsšÿà=çD¡a£°öH<FY¥k Ñ:mäA.3ôi°Úr÷t]¶þ`ÛÓä£Ûòyg’"8VÂÖó´,cªo"‘FOÇÐHò.FJ˜´.M‚•Y\XÆ²x6ÑŽ	6Æ³“þH7&¤À@OZQ20²Ñ¨ñÊ«…ÆKåe™R:X TòN Þ!5.ÅƒN²¹,[ôt-j„D™–M›Ÿ(Ó^™¥™çy:\÷ÎÈ¶›
¦‘Ñ½Ølâ‰®{$3õ›žèÅ[TK£G68;Uê«È˜üãy»I”Ò%ƒDi!{è:Mñ†æÄÌÈ€`àø9azO!V±W+U:×ÌÖ”œÝ®áÉ›hµŒ$V‹
 Xƒ¡%Á½ÔK#c;Ÿ2›Ö©–‘õ×—a&ööÉ‘v!.÷L$†Ó½öÂbL5Š‘ùüp¸™®e’%DRã“iö0æ\í®d5Š+›R¿Ö îëH.ŸªÞp«Nã62áræSûé|¥ÎUŽº§œ.–«xÙ#[Õa»§r°Ö6YZMžâÎüc¨ÉS˜§(Æ
 X[ÄQDç•wÒ`’1‡“¢Òš[o®õJ:ÍÖH
 Xg&“¶Àü|bÆr/S5w‚”–gQ¾¶(ö‡Óx—¦ŽÙsÃšBöÔç¨.¹å*9Ù:ïõ,‘ì€<¶ŸÄŽ©¸TÃà*e}YÖMVôq$6‰¹¯¹þšsß`µÀöDÒ,XÒž qÃ5
 X¼2uA`v÷<åi0kLô\•Œ	È'ZEìù) †ç=fŠ@õdöÌ9Çñüa©ÙBN©%ùf53Í(1~\<6¾;x¤¨Kö‰´(ÐmÂÕÁFf¼½½.PÊ;²	ny¿[1ìP1tR»UÇÓäx	ìhçbÕV3|G‚ˆÑvaŽ¹¬>ÍªB,Q"îÝ¨©Æ²-Ùê8PÖè÷9;2J
 XÃH¶$rC’û¸êŠHIfúù‡a>$Ae±¹Í`+Çi8M3Q®°R˜ò]§›Ü†jOenƒ¾m‹•á|ØQá½LeúSå½€©ò>V‹-Â8ÀÁ°,ý\“_$o”ª¸i$ý¡")RKÃ,µS¬I6*Íõ,±Æ¾%–EˆAp—Y¬§1ô„ë2)TdIÒ17p>ŸêÄíýD2åZ¹>õ_H“%¡Ã³ZÈë*¨àjYBAø²1¦ÈDÊ†ÿ~çay½}MªJî5gú:¿®QöaceD[§C3XüÇ";sy\è2¥j?òÂyg2˜fÉ L:pé>f’N÷‘@ñc,Û¬«µp¶`F•*y	Œúy‘×¬Ï«LÀØ¸–,®©Ç<9–§€])–!ú€éñ$šdfÛþy]Šâ.ðIÁƒò`Hçâ~˜ZÔiÐSe³í,xY»&f—tFM(7•½ÿâî›¿aË,"Q #'J(;}·²³úDnëºüÇsSqÊ”|…>Oê–D‹†ÛÒÄ°ªE9EËÖX*˜2¨&…Ÿþ~"mŒqž¸KYqx¸ÖTTKÍ$N*&¹ÌILh¢®È•@´?FÜ¸ñRøfÐ5ˆîáZû‡j!‹ŠKSµ¦D*]EÿñMR/ kU;lRÅj -×U»óõtOÉB‘$™ÜFF\[°'áEŸ\„ÒJ1Œu¥
óJ¯N!œ6”C½š¨sBIµp?/®¢×ÁÁÛ´Ë÷Êw«ð9á_³*}ax åU[Zf²Æ‰K¶®¥/úíZntHY}Cé.W0yÁ!ö¥Žk‘öò4`W6íA,8N8«Ž…K.ÆÜ6ü)Óz*Å‘jƒ?‡«€Ôzè*Ü´‡Žô´˜CÒRkSfa0õ~îgs
dû©MÑ¸“¤»»¿û™Æ¤k.²1.ä4ä2_k‘Ó5öAB¶vÏ²ÎRéª MN&h¹ÉiÛ(• eÆ2òÆ
 X‰ÀŸCPAbÆR&OýñáÍþ˜»âWzÈ¦ZŸ;ÔBÊY®p|2-5Ïpq˜eEòB‚
 XÖâÖ'Ï µ8b N¶LZëHóAenøzÌý<½,Ã¼ÔÚË%¾ì]¨nÚ¿o`Tyw%·0Ò‹GXeHâ†~©¥´æBS1ÕÚÜƒŠíØÂ‹A@a¶GÝé@;i/»»Òµåftç(7ÛTsã8¦£ºEvWÛÍ«E,õ—¬Š;VŸƒÔ\Yþ¤fl¹¯Îš ÷TwQnöyî¯‰¨cH°äV¬gòÔŸ¯wÛÕ%àõ¹G*¼4?-±9”àÚb#Ÿn©`x,´¥ˆ2·fí£1%Ùº:½Å@]]H+ÓV*¡ãVþz÷Xñ1žˆ¥L¢¯U¨Fô¹zQG2Ž© 4‘x°“Éi¯ØÇ‰vpÄÔN&ùØõ\&ì+Á/S²•`¡áå&%	poÔé]-ÞÀqêUòz¼€S&9ž°–÷×—~D¬v9|%h…m™(±°gó8¼“1]Ÿ(£µŽœUÒãœš¦MzBá±Œj#7€@n+VÌvò%Ë<Ð5w‘4pâ"`p€Î‚šW0
 XZkº«ò>‹¾ôVNNn‘’ZìïÀ™ôÍfyìö%àJ®*8p«AÉtÑ±H‡RHwsÛ†ÂÙºßo\ŒÂM!Á¤Ü¢îWÑÙbÁ±Ôû ,öÃ‘æ¢;QÝ…êNÈÔhk°£7UEùòCeÕù;ÆPHo¸ÐQò³þòs[R¢Šk+–Y>õì"j?ãZ,¶’Rƒõ†Ž0³öëÓ4×YdF²ËRw$LLöà‡^ú—Í  Z†
«H«'.ƒiÿÒŸp °HTU>GÄU em²0îËRØÃ§¢÷ï?ìüµ@wÁ±³âõ.!¨hø?PúÐÜÄ’ ?Å‚ïû¥ˆ€Õpä,ñ]^¦*d¨m›d€-lâ59ÇCÝ^]ÙÄXóRÒ–‡—Jòµ“ˆçq_¹“BnÌ‡t¡’Æòo÷Å”	&©Œ‘0ì¡rIf¾à®ÖÌê–â›Õ&
Ód„
œa<¦\	´Ræe
XV¢ÒýqšrÕÔÝ‘°©Ú[úÊ;]”‡ÜÅ¼Šxm™âQS‘ˆYÎPhÅœÖ„6wBIHµyý[Égoa$x@–µª/ÛÞHÈ—S}®7 Y;±µš9Cjý9I†¼§”Iu‹Ø‰·ƒÜKâ‹ù»$ªUô³ZÂÈÔ›•§›ñ .e
rŒÞC\ñ®<ÊÇÕÏUy‡$-7né’°XÞÒÅÄQð†e0"
 XJ&Øå¹Ÿ²bI†J‰ðZ0™á@´¤ÓjÍYü¢i¹}‹°Mt ’Feßkd’ìs©¦w”ïø"üN‡d
XÖµ(YÂ>lRùžÈýEô8Òìæ7Y’ÔªCˆíæ•C|^Šß ¾FZ=Öêë0geW4qí7ë*L$.gˆ›œë0ßþ|÷öy÷ó÷ßþiëcÚfS†2ã"E—X•Í
 XãˆiZÑÐÄýFošÖY6éOÅ,ûwP½’àÒKx„à‚ã´I½SYÇXHRA¢+¶u“ðÈ‰C’Ô9
\$Píw?TJŠ¾+&±q¶I×Ûsíw–ë±¸!d³±“ßßÍb}r<¦_êè:_Ð'µíBÄÉÂgùÂóçƒÕ„ÒÆ$ö§ÔYžÆk×ÍÃ.'R+-ºœ¢FG…Ó±^mD<¾ŠÈ$V.·–ûTëï`Ý’ûH"×"¿u7VâE¡²‰Ÿ|†*?„·›1Ãâ"Ø¸<Ñ«{éÌ>_¶Ï{Zm£p˜«_Ñ)*uËx¨§¤÷èÿ‹î+øý¨
 OÈW»¥!	½Ó
35,¸9f¤©U¥4hš—P¬ãRñÔ‹–ii³ÿˆIIÜ5CL'à<ä6øî:;0syÙëZ8S‹ø7£i+¬_q›åö¹å¦–9p¾‘ÝWOÍã»éS…ô¶q*·±•LL™áT2Ýw"EL€ÚÚöP¸®ÞË&Sÿíàƒ{šáYe“^;¾IÓŸ'²fÒÐDhbÑÐ„»B¾rDôˆÝÕ†oààþÂæ|õö›?¿Þ>ÌÝ¨ÊMÑ2³ŠØaëœ*`
Ú²ÔEoh¬¤.ì'ˆYõ~Rr]ùJKPä6áT¢á§r–¬\¤«š¹˜± Lµ[†{!ƒ&¯Ç#2×Ñ8óeþ×ŸÿBÉ€”¡›HÇÏÃ<NE7Äp™BG|Î4)€Ë¤
 X xîöüàQ.…hü{š¢"Ñ¶hJ‘è4HðK…¥øÒi2ÏºÄ÷ý²ú×¶8¾‘fÝœKnÂ©ÁøÒó™í×Z3úÔ2sðEÿB«!]
¿W´~K£óEÿ‡óp™ûó’EA&]úØA¿-rYê%lVÓýÊ+sSŽZs·Æó¨à‹ÝÜâºž_úâ#pˆUtÃ3TÑ€m‘jxx(Ïcð¤Æ0½º™Ü•v¨ÐÛk¨ð€-	/¾Ò`¢µn,?“T»ñIwƒ"›ö»ènø|á–%JS'"eÃ’»+•`	žãm
 X{£üxÆô¡ÿTKæÂ·D±[¥BTéV¬îÓñæ¹]x_!ÅK&Ý'œÖô°ŸÝGIL×u)ÁÏŠ
 XÉP6hÛtGCv~$é¢:~ªì)½×xœÎ¤XoõÞå¨oÝcÇþX½Æ™s¾<‡y±C4+óg$sàû»;ì“P²¢0JZŽFp¬óB?m&ÜM¿]²ÅÊ´¿ø¹TÀÚWhY‘’eÌ^‘%ú.÷½ÂKRh§}e+;RÕúŸj‡Lï¦\çý²öÚœn€B¹/"8¸¦d*å˜‰³ûé
½È¢G½,Ùã†*.ŽÑdÜðÅ:Jµ‹e:^oHŽõû…x`î;£ÈéIá»ÜÍëçéþ8œjt‹˜éÇÈbµuréé{ÊUÂej±|Ó }Êïh  WÑiÔ
 XÑÆ«ÔÎKè}Ÿz÷6)ÒüR¤,ä‹ÆBáýDvÈÇVIOWN¶œÝjp$i!}ÇÕ¤%|PCÜÌ5)éÙä,E’O2‰·'ê
 XR¸{Ç>£!¥Ž*Häå!,ñÌòµÒ7ÇþPEÚ-Àémºt‡—ÔO=I±ˆíŠù[;ûön÷÷Wõ¿£Aœ‰endstream
 Xendobj
 X45 0 obj
 X6674
 Xendobj
 X43 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R19 19 0 R
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 44 0 R
 X>>
 Xendobj
 X47 0 obj
 X<</Length 48 0 R/Filter /FlateDecode>>
 Xstream
 Xxœ]Mä¸‘½÷¯¨›=@—,Š_¢ÌônÃƒ]ØãéŒ…gªLU—¶3SåTf—{ý%’ñ(1»=;>0¥”È`|¼ˆxA×•¸«ýÿÂ¿wÇ7ÿxó;1ÿ·ø¯Ýñî‡‡7øÙúÿððôæ¾®j!¬¨›»‡Ý›å‡â®U•3wV¸Ê¶êîáøûéy¼öwß=üÏúAêZÖÚÿ¢q•0ô›‡ýïûøwÑÖµµóEåt³ü}ê/¿¡ÛùÂTáïÏÃ”þnµ¨Ûùu%kµ<qŽýx½Ìå—²ñ3_YjÝ¶ÙZïç'¤3Û¬öº{Nû‘¦&y,«¡…‡ Õ<w—øDÓø-Íï°•6á‰.‚þl´ò¿Žˆ¾rO_#ÑÑc/ã4
‡þ.=n¤²óŠdË+zÎÓ…$j¹¬‰N)|ïÜ_ÎÝi:,¢Ú9'µôÏ)U5áÁñ©°pØ|Ç¿o•«›ù÷måå –'Þÿøç$ÓŠ&®ÄÆO¼‡Cáè‘Æ™Í!øÍ´óWd<ïýxêY„1¢]DhuÕÐªY„¯Ãåy8¥Õ$ŸY/š–Wtyî·ê%tå÷_T¯º±J	ôKÅséÏÃ¸¯`íÆèEI;¢5|ŸVCê£j¹lŽìÊ†ú¾ÐöN—¡;ðu˜O^¹J™ ‡Çn÷éž •Þ¹E–$‡¦R
 XÄ0>=Œƒö·¸2ajmMXzÝ¨$¨SÉ~êÊ¤•í§©Úha×©çïh)]8Q‘PÃwF>°FŠh‚Z8œvç¾›úí±Jrí7ŽÕD5ÃcÍs/ŒòúüÜ®¼·F,VoØ¦¯tjéUt°ílÕbý8÷»þå2„ÇÖFHû7k#ôönjEUˆÍy*¾ŠüYÕøçáHÇÚõË¢)^"ÈÁÈÍ‚XÒ÷¢5•”(¢(ð•{ õ°ñMàê¶iÚÅ<HHMT Réþ2q@ð~hñyŠ^Ñãå¬Ã9m]´•‰:ý÷Ÿß¿¢iÞ²4º•ó»4I é~¿ËO ÅJ)dÐ³r(´ÔŠ<Ñ¯%±JòqÝiŽÀ:Ù©FQøÕÑrÂ›f£Ó$µ&œ t1Þ¼ô»áé¿L;×.Ÿ£=Äs~_ËFU'mÙt)Š¬*Íp|9ô÷,*ú¥
Bh«LGòN¼ê–NQ‡cŒ±6i(°ñT¡S!:‘…ùÿi|í?÷g~HÒqJŽ\Çõ}>³ûÈk|øÙFÞÚkDŒ-5çþÌŽ£Ñá-ä2U…ÊÜñSµ¡_×fþq.é—
Jt˜¨€6ËßmÕØ ¥Óõøˆûfë£°’,Üj)¦Dw˜0¹ÃñLÎ<‰“'H‹ìÏ® óê^t÷‚¨µM:À¨éA'šâ‡ÿf›®½Ÿ5j-‡\ÌÑ?fqFó~þþó‡¢Í6ºJF±2YÑHY/³ÁÎOQTµECmde¢ÿ‹†š)y·ºjDîÝºKQ\â>o‰B±Ö”D‘Ger9òf%uUF„°l¢]K‘à¦‚¸Í¯jg¾–1àNÝ‘µ]x¥’Qøèfqø8ž	SÓ•G°F¶:
 Xuâ¶õâ¾é4šø÷}wa¬%MÐS'¯üÑëêô–…®-yÅÅ/hvóO×³7j8Ù´6šQüt¹î¿¤Ui©dˆ:¢Ê!;
Û,ÕZ¯v€ÊÏãc÷xHï"D¾¦	Ö–²€EûiêÎüûeÕ$O	nÙ4„vu´î¨ŸûþÒŸÃ©f”d_2²8v€¬×è˜µa‡3ˆÁ]2b4ä#5êûÓx.h•bÃArd;RŠ„Ò†„aWa‰T/zW+"£ÑºY»@XŠ¨
 X+É^’qôXe=zo7k<r_cÎ×žÓ~a‘«|.W|”T^yã[ôK®lÌo§Û]®$;Ì<Ø÷8>wã•å~6w>zšC…ÏÅ5Õw÷$êÆËcÿû–!•ÑÚ»æÔQƒÞ§Ýá:{¥å±0ž¦ Ö;ÿä~ÙúœžÃùÑÎÍ’ác~~ê:i+À	û9ÚŸ!E[¹dä¨E|f7îû‚'¤GtôcÏÝTx‰H¹=¤/ ð‚P å[Íâ$.«è¹FÊòº<ö(c¤DfÀþ#Û=ÃB©[ q	Dd)÷W`„Gdyj¿DBÒ€fS ‡ùñ'„¤ŸMØºŽox?.øat«mˆÌ*ÚE£3`º´˜¿1èÒQ…H
 XÊ8õýq*V;×HÐuÎ’1Òi‘ò’Íéu<*X.a³±ýÚ´¤ç"ìœr‚ýž
(Y¸Œàó¼Pã÷ÔäE˜ãUi¼ÖD,Ò&ppìÎŸ:_ò)aÇÐæñ0î>•Ü6÷/ÔthÝm¦_sàôûW‹~icÃ”l»yÂ a¼–Eè*ífºa|‚+\§ÉŠOñÏš¶SVnú§‡‡Ÿø¡FÛP)„úÞÔÏ¸ëKmkC6•J0OçñˆúSÞ¬¼Dæ·Nzé Éé]ŽªÜ]/ÏãùwhÖ)áy2¿ç@˜Ò´Ç6h|‚i_¦K¥oTñjÞ‹]O§áô ÑÉø¤e úþÜ÷?|øw€VÎ	’¶söÉômº”öþ9êÑ÷¿|W8`_¶³›¸NÛƒâ¢³J-ÇbÙƒým8íÇWV4IY^BibóÜ??„H`Àµe)ÂnH¡“Ÿ‡=Ï(Ö?·†¨?üò]Á'xàý\Éà…‰šäæRËx6h<7 Í(IIR}ÍûÅbý øE’Qc—Ä¡ÈË8œJu/:N÷ÕÃ‚w@Xrd"r9,GÏ†¯KúÀR]¿Á:+±©à=ÍéžwK¾2•‚Ee3-Fáš¦mCi:µ<¾¨ ÔNÊ³¼‹"åãÔ3†“ Æê¥¼I&-ºÿgG`ÂâHŸM(;%;í?÷Ý¡/$Ÿd¨u©—P·Š#¥HÅRìŽ L«çg BI¡“>ð1J^’6•M–ó…”¾‡h¡¥<«ŽPsyèÐî@I”V,6hæ¼k7
 X$É ‹ÙAS²_Ÿ”gd~ð@…´SË©®Œtq÷œ+Wššó5,iÛjG	Ðíû—Áã‰5«¥@HÛOe×ÇþªzóCµ¯¨¦*§Š
 X÷KZr¹)†Î—ÝËþz|a1ZXë‚²¹¨Jx÷×K¡Ú¥5E!()$e1±F(,‰@$QYÖv½M==H—|cf«úX4:X™ö©¿Š¿Îè;ý°Ò¬I˜«!âjttÔ‡Àã ¬Þ„A‚#â úRÛ)y{ÒÊu/À:drd)“S!‹>~x'î~¨Úúîßî¾§ã›?ÞUwB“5Ë?
 X•–ó×ïî}³qvÊô“¦ôÿ,ýÄ8?¡PèæŸÈð,ýÈÿÖÿ„v·<÷J×ZS¾¥Jßò?¢oµÒæßZv¤o}Ë?_øVZ¤)|ËˆÆ‹Â4v%ŠÙzïìoüVúa[ú–ÿ}K5¢$v÷Û÷5„’îÂ·üGè[„vç%Äÿs_¢¤óGè[VÈ‚ÅMÝøÖ·ŠºáDºáZYÚ—.-Ï¯‹–çKÜy¡b©[µØ¥·›¥Joú¯qÌÐWÒÉ¦¸´#çýt=pm¯¡|Ñ- Ìób&Â¸°–j‰[„c[ËÀ…K²yŸ+!ÃÛÞ¢ÓQ&†ÀÝ_ÙocÄÂƒ [/J¡M‰RK„Ûì“tVŠÿ–—5Þ$;þN?u«HÛ¼þ~3¯·÷°SÅü†…Š	¶˜;tÖHËØT”ªð%€a>n²N³R]¢sd‚^‹ªƒÊ•$Ü‘Ûüšôê
»"”P:`BiÂ.(•sé.¯˜Ïó¶¥æ&Àm…jrB‚äƒf<Í”‰©R1‰ð›[Ðš8A£„>%#¼MÜ7#¹	úT"8|ÅK´\ÍüŠ— D4‘TŠvçë@±Ú>vw„N>B´ÞSÎ"’f)•±ÙR'Áè¶Ö>i‰
üf>t,Fö§rob¹k#ëjã×Ûß9 (Ïû°|ZŽ¼QlJ¥¶|·ÿÜŸ/Ã@™·YZSî¢€^ç²@1I0é!¬~"Äß0ë÷ÿÅ¬˜Îÿ{Ö«[
,ºì_6ÛJŽ…™Š}Bþò]:ÚFÓÑm„4‹.ä.|„r¼žOÅ¼K3Øüà(5‘¼¹É¢D3ñinHÆ8£”Y2\
aÁd	¨õµ+Nrx<õ§}´ÃÕ¶¤ªL"· '¨+ºZ¥†¹îÐgRO”§Î:Czî›,ùZwé*ÐfÑÄJP\È,ÞØXt”|¤C‚U†2&:ÑðÄõ´;ôÝyûÒîN0 yîì;Y-ÀSbDTóu1àó0 ºK?m›ŠØâóe×X9çš÷»Ÿ@CEì¸`!íå<^ÆÝÈ}ÀÖ³º\0âø¢…å2ìòÖ
 X©Q ÎÜZ—ÊÚdž@cüõmIM”áóÈÚÏžÛß@×LÝ)Äst2¬úl©¤‰g5¢ör4¥°Åþ¨f‡áS	×´ÜéN8C4r!
 XÑ¯Œ§Oöu)·R
sÐRX×·Ø\äÂ_‡ýå¹ÀÍUm•k¬>µ$Ü%Âî/LÃåº:VfÊ–“ùýØ—=ô BuƒÊÐ÷G^£#€ÞXm¶\{…qÇ!S(×Ø@„jÅŠ³»r=4T/=ÝÌ]úk¨7Õ¥qáÉ,iAÏãõãóVÁ<X«{Vßúh# …ÂèxËä†:ž:¬ãQúb)YâQžû—ñŒ•+ÆtX·{üG‘ã1f¤Cî#h7cÎíàÎ%	0ù©bçøÂ›Î¥vÍ’¶á1\±ºÛ¤Â¥§vGfÒ»¿VEÓ•~ä¡6"”ÿ  úÔí2g‘°QBèYO	*µdÆI€Ì
 X‚óXx«£NÑÖÌÀ”86Öî‚líAñšÑ ?•ïçî3PæU·~ÍnôÜ…KøRÚy•ÄJ²œ¤'µ[9QxsMLT¢çß§Dh””>‘DàjÁiC%µ±/˜X–¯‘½öPPý¾Œà^¸Ó‡m‹#Ž$~T£¹Õ•ñ£KA©+ÖÔ6t\Áâ§ÈÒÜücÈ¹
 ÒZoPoŠMÆñt”äX(ÈÍ„ˆo‚yÃMý5š‡ôÂòS˜ëe3)¤³*r
 X‘d¯¢Ç ¬uÀÜ!ƒ…Üë·–|*+`ZŸVWÉ‚(~×j>2_¦š{bôÌ_rg
 XfÁ»æ¦‘õN²Ú?‘:ò„žSe;òÐÊhxkØÊ HiÌRŸ"KÎÎ“EwO2JÒýz"Ø
 X´«˜<¯V‘œc’¿âr&W¹%Ô²VBÅ†½#$ú¹wtžñ(Ö»'ó9}‘Ê‚ø3Ý$ElÐE)®S«,ýºB[;ÍÔŒH®§sï{©õ[èØãXÞ-È¬þ& ò±|{,bb†ÄSxbôØZOKx4
 X~Êuº ÀiÈŠ˜€³ß¼¼@þÄ–èçWâ®‹!+&ó#t0ž¿4ß¦I©W ‘CR‡9Aw8÷sNkß.[`;Å”:Aª8Ë‘uÙôµNNíñF/KüwPF?±µhJ¿…²Á1¦ç‰‡÷›léñ‡rÇžbu®“{’—pp X½ÚdÖÇáã3ÖÑOA	1€ßi<öÞ3”""E"ú‰‹'2ŸiÉ/F’J/;÷ÓõP$GØJ'*=Â[·î†¿š}õT!ð#qèö?DæÏR”9‚ãªìq8!”ò–¥¬áj˜¦+õ–²ÜQ@DÉF»“gŠFw=L»‘ âuÑÛèšûÊEG™"LÏ´ò¶™=p32NkÉ»Ãû¼IÚumqÅH%KI”?`¤æ“lÂ°w+4•	é9ßôÉï
Æ_\ÈNceÈ\šÊ¥uŒÉØ(ík¢QÎ•õf.9'H•ð®,©bÚ ™¿öØgåmÞ¸æÔ‚¡“ •1ñ“;ñØ?w‡Ãž26	„Ï¹D|jæÿ»:S
 XÂJ,áV+f|îºë”QtÒèÛ2×¢<¾=gWÜñõÔÐÒpjƒÁtÏJVŽ,¸;9ì|ó ì¢\“Z»ä<ªê A9Ò—T˜XÔÀ=„ùò/3Ä]ÆT$å¾¿^®ä<<¡vy'6^3êš#þ#Ú´ƒ	Dáç= ñ¯Ömæƒ$«bß5ñWbzYÈã–[à'Q·sðF"*p\ºOõLoÔ[T¹Ü>‚3ÎÊJ“×M‰¤Ûïob0ka´ƒöJq¾üÔwór®ŸÆäNnÎÉãhÎùŒ¨C³
8G´*¤Lû<7ä ‚!Ò»ë ùLJzø%2JÑrÅá‹3«‚>@ ¼ __r¡p`ym!]O9íÈï„x#Ø±r¯ìæŠ…r(bœ<dëâ/›¹Ó„ç\©
z>Ü\K{Kœ¨Ôžzz>>t¼Ÿ¡Ô?vŒ¥/Ý'hî6~<ËýŽç?œ°ÏÜ:UGt—šâ»Ýx=] å*”±V˜èkïG¬Ëù<"RRŽ¹O¡>.¸µNÉ'”©²è@ñi<|†`Ý6gßšÏpkO-iRVí#çGNçÏîóM»c·UŒè.ÑzÇ—Mù)øŒy2Kd*0Ï5Hüõívºá@ŽÁ‚+ CxÞÀc]˜ÕÓœ5ñ|ÀüÕà— 5Â‰Åä ršfTÿÅ!Š-wËÅŒ5ÐõH‹ùFaêPÎ<õóŠ¹°·•{êþô1ã*‚7wŒJŸ»RK˜å1MLæ	ÚŒZ4I¦»üpâÙíÊþ)’˜Çî$”ªjv8_ÅÑ–{£·&»Êu–¬TYv°€4sc„¶¿ŒòÓßü„ˆë~‰Ò[ûcÜEó÷…|œ2ÅJƒð¶žwžÍÓ+Ëí&GÊè6|wMÖ³µmä°‰¾ ÙçÑs€ž©–÷á2o·B>múPØ=å~
 X¿4"j>.))á–?EúGßïKác&Ü·YÅó)‡óŸ•è	Æ©¸z?{ŒbªjÆ"Å¹¡ô™.Sò:þÏÖû®Ø;{ºf¨È“‡ê˜'2†ÕUšôbÁ ü
¯Hác€áy§èì‰Š
 Xà)Ñ†›:bêÕ²¿ÆäSÅ#úMÁKÍtut:ÂÓ¢‚Mˆ¹°ré{<a8†
!,Ã½qÔ<à¿†øõ¥ØhM6d”ú7°Ë<çTA2#};Vo¹ç¾À˜‚C…¹j2×å »Y³ú’ï·í‹@¾·}%
 X%\¾t>áxýžÁë—¸Áu]<»ßû5–"6ÀÎA³èxÁtV)7îN{ÄFä«”‰´—”¼ž}qÈ}þ]6x”ÅOýŠ¾F.Å5¡ÁÔ$à&øeéö(|\\J£ëIùçáãóyiZ"@U.ú1s+ëõ0™§&$ä"µ7ÕàIï(¸¼EZg½4_ž–ß©‘ÁWÅ‹QÐP&Ô&þ=úº’È”TøúcÄ')³ å|‹Û¬³}ê|p})ßHEþ
Í†33ìa%ÂqW,Óãí›2½¿d"ŽU¦$ÄûÀÇÃ0=÷{ÌUcM¸û_HŸ“â?Þ@¹ ^õæaà(¬|tÃ>ê±¿øùÈÇB2ƒÍ‡âœ‰*]°ƒLèh@j‰¢
 X|R'YXMkÓî:•¯ùR’»:€Œ(ÊÙxåÒº†þ!ôæ5[”*$œhQï—‹@Žã¹/eF-+EF°ŒãÌn*uùWw&Ï_;Úr’5pï˜buÑ`1šÅšn^ÂFI~ó’nj¾†¬póÒêöT.!ÑšÒ]L|À>Ï¾ï9Õ9êPTÓÖrØ®uì/–Šöótî–›Z
 XfáÉ„ß0L‘ ôH_'¹aýa˜g,±¾„Ü´ª2‡+#`õxe
 XæÜ‚$Éq–o+„ºnv[!ä0I|cvƒÒ–shÉÿ¥aØt
N8†Ü±ÄKHûµÚ8R¨ù¦¤	Áõßº$PP„«@/'ÈAþ’†~[“"÷ä6ÐØò
 Xñ-U¨Áåª.6ý3•¼ä
 XBÅ•’%Ú‹A‘	.ŒñÄÇ€eeÔ½]w8`G—C’90Æ³”{ÃVúžÿ.ÿñ7‚²·HÎñõ ŸNãkáÞ4_â|Jf""=#q¿»Ã¡èxoÝ6d’(ÍÒØ§µ	ùÒržË¾A†)<º®²ÎÍ!,5h±-pQ
 XäRm!Ý+Gîôµ;ï‹ÄGÊÚtûe¡LŒN73c¨XÁ§J«ÙfÊ—×0SÇ»•<c¿LW”\äù± ˜…g†×’÷Š$²DÝuS)àf—	mÆÔnÚ&8ÉÜ6¡ãº\¯‹<×	[¶i"¾Ô3¾Gåmä½_º¬ø5^ÆKw¸;Ð—(ð‘ªúÿ¶èƒkãÝM>¾?˜ªÂÖ&4Wøfœ§ë7ð<9„T5½ˆ¥‘¹40"ß÷V4µ ÅTn~ÐÆÁ‘|XJú…‰]Qg±ò›uvEo4ÏÚÝ¸^ªòù¬
 X»UÏ²%·Ê·*Ã²4³G.ž'2ÖÜ?ÿ)KªÛïFd@lwx=c±8ÀB„ÅÍÅÎó¶ ”ñm’û1©6õ¥/6¨M	‘ç´±5n^›qzÁ°a@)`ó4~ÝÝy¥³‹ÿWR¸]s"n¨ë!øÜŸã½©¹.Á±7PEËF„MœîÜtÜ×¡Fé…ß	¡/—º!qŠ§ (}J—lø‹b
:?,¼öâVy5Y/9¤Ti°R¦j[ÿÏaº¬Úd!	€Ì7ë‚%–5v?+Í:ùR¾!;w¥…\¼:PîRRdIEþ#ÌÀv»ç¡gº:ÓÓü}ñÇ©8°¥Ù0¼ ÉGÚà¾kºNEØ€Æã¼Dão“Œ¥ üî¹ß}šoíù¨…±ÖxªÄ
 X@½Îý+)Û½x»q.˜"¡s_Z#û–/MVÃ—Þ Q£#MžåkŽt›iÃÿK^ÑˆWŠ`›¾tŒÐtæí
[þþÝò§|ßTnRÒ{èØl¬ŽÍ:pS¿JÅD¤H¤ÂæãµüÈìPãå~7œ:pc±€Ê'Í5B$8Ù:õ	$ßÇê·ó¶$~±A¡´*ø†KàúrêŽC‰Ð¶i=î2?(„13&éøVfÊƒÃl™sN´qdVû;×‡Ï7nGüÚˆCSä	à$7|eâ¨¾©GÎîÆ´™“=ßóZ¼~ÛŠ9ƒ*¦¨<
 XçÉ“¢`W·ŠI%\¤‡óªIýçyû:õ¹<:”ì×&¬n›Ké†LK)AgÍX†ž›×HñDb=rÉ½Tr)?ÍjAŒ*ðvúTMâ`ÊU6öGz9uÈ#yåx‡ñÕÒ×îËýþãáî¯oþúæÿÖ¢’Ãendstream
 Xendobj
 X48 0 obj
 X7185
 Xendobj
 X46 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 47 0 R
 X>>
 Xendobj
 X50 0 obj
 X<</Length 51 0 R/Filter /FlateDecode>>
 Xstream
 Xxœå[ÛrÜF’}×WtèIŽ Àº_ü&iÆ3òŽmÉ±bÃVl€h4‰Uw£
 EköÛ7¨K(ÒÚpìÓú´E4ª*/'ÏÉÊ&Ý÷·ÿY^üöâ·
ÿ,ü¨›··/.¯µûƒÛÝ‹×¤ ”i!Íæ¶z1}nŒ(¬ÚhjmÄæöðêæ|:µ}½ùæö?_À'#DŒŸàº0ð‘Ûí«2ü’B”ûXõÂþNœÊêS=Ä§$!ÚŽO1[ÿ’ª=Ô}z„s«™„1=ÓãÂ#ÇÓB²é×Íð ™^àð‹ñ „JÂ§“PYXã—xóîßÒ ‚XeÇwˆ"<°Û—÷q-‰Õî×TÛ‚(±y
û¡Ê=Øû;;n¤Ób¢Ç¹;çŸ… ~ÃÇvXŸ?N4¾ÃXËÁ{Ó*6,sóï?Æ#iøÇÐñH¬Pá%îLq®ÈôF
 XÍUX§L›¥”3;Y_šó·çý6ŽDÆg˜.¤ö¯¹C»u/·BYáVœØ·+Û"=fáP’OFV¤0ÉÈïcDPˆ=-ýëÂÛª2¹8"ÊŒ·;SˆÝî¼O1c©drZÄ†è¯oú¡ÏXOÎ_ÏZÏ,lun=È®•êy(?×™øæ
.Ø×ÛL
 XQ5ZmÚI»¶‡³?{0È!'³[H2ÛC9`O*i¤öQÅD0Ìqè¾dìÂ«ÿ ªL!Cô>iSpeÖ†ÑeÂ Ø÷†)÷ûöÇ¿.šb¼I” bÜ†pY"Y´1Ä¦+#%K¡4åÖ›ZÞÕ÷ŠB¬áŠr*Mð¦µþX»f?Ô]\ž$¼„)¿N?tÍ©Ï,aÜ>ƒEhSùeß–Ûä.ÂÎUL¸ëÚCöH”ŽD¬$Òzëð86™o²ôEÚR%Øø8ìŠuã¡<Þ×™ãÁ®¨ëU„–¢þt~W}ý[r<Ä½Ï] ¿ïšzŸŽN„…6Ë;bã(©µåhœ¶{,»mn¯PäLf¯_a¡"4x^	ovõ~·ÉTx€ªõz(è¡&R¶
 XúE|¸úŠÈ¶Ù>B",ªÙøˆ†G|	GÜÕûöxŸI0NÐ–s F!V ®Ü™Ôê‚<¨.÷M&$™¼	e\jVÄû¾i™4àà2ÔFHIB×¡ººª›Ï)U-(¤ƒë›ý~fC‹

kuõpîÂe6Z™ª"ØGéEU¼¾¹EõUJˆ'xóÃC}\ìCÆí"˜Ëb”Œ	?‡(Ê8Þ'á1ýr	ìªãŸü>nD¡Ó‘bHH.óü% D3¬-?‹ˆ™é©ÑVqŸ½D¶]{Ê`ÛŒ$}Ý.'»[K=NûüÞqîsy4…¦ÆUxžN ‚ñ°eå¾ùÜølZ¼ÒIvÒbš 
×½òø½…3î$M¤æ€n‡r€d™/ÇG[K¯`Çò.,87dŠßE5‚bMý†bÁêê×´¬ ÉGj—l4¥Ý¯ßiA9iKog¢ÌCÆøÙÃË@LØÂÊ¶œ–ÈúÉ¯?û<öÉP¦óØüøð)3)ŸÂ< 9|ÌÉlúÏ¡g>}a_säK|| DÄÐÓ>òÉ$aëRDM
 XC#Ie*a#‘àh™NXdVQEàS·˜&&‰Á*D‹œ(+¤°Ï¹õÊrA…×'<1úr›•Å@©‚ËŸ	`'Ãé
ˆUb÷961zÎæc’ jWîÐO¯±Vð ·¢ÊyhªœF7.|ÖÉØk}2Ê¨À«öøz-"Á¸jÔ¼ëjÄ£
 X|~ßnÚcCÐ4÷)
ÿGÙçI-Ø(v ’L‘b‡ðòÀ„öCJ.€XŸ‚‰÷ïÊªÙ7CS§J@©¦µç&
 XÂþá	É
x‘5rPŠ/Ù@¹ÝfU#Æã6‡FY&àW’’é€Úa÷W‰+€Æñ÷<5"¾›“…XCT	ï¸}wµŽg,‚S8/#<“bh‹7Ëòá›‰Ö=£PÅò•DRR&_Ç²:‰t;ŠÀñ×$éÖªDÅRÒ°Q0-
 XŒ»ó±Š¥uQTj3¤þRˆ™¶Ÿ:E@=¦ßkÈß°Ûóq[‘$'ÖN#X!ýõÕCs²XÑÉ“,+?—Í¾¼saüå×oÒ¾µ“F‘4G”öTlt@Ö³@8)²ÃHæ&UHrt2OT»ô•dXð,àéJæÖÉèÊ…ÜEÔßAî®U!
QÒŸJ‹ØxÈ¦ªé(-&ä‘VDø
 ñÐöùÆ„Öc{sÕ™_Õhi¢Pì¯˜ŽæNöŽ6y6d$€ˆ,?ï‡\ýâ°™PŸše¤f¹Ÿ¡E[b—{Fít@ÙJŒVAèÄ†‡®Üíš *‡ cCp÷h%Ø-“ž}§æ°2lõð€‚t–âÓÖ…‚ôõnée‡{4Ì©ô  cÎÈyˆ¸ˆ”uóÖ)–Ðèìg[÷ÍýqÖ<M™$xJôEÍž(Hì°:Ú=£xŒº.é’£¸„òf%³Fª+C,v»:T;SSŽ©b»Ëd®ûêd·°qM—Nv<eV8µ5¾(ÊTD~}å~y
„+Ý†00<™(p8šèQw®ÒÞÇ§¼µ¤™ÅPÆ=N/7-c™‡¿¦ØÐ‰&fZ7 %µA
~ƒ˜RSÏ+˜±`‚^ÕÂ	ë€nˆ€P6"ævÛ¸êÒçò]ÐT 5C‡kª«*¿eÛ?´ 2AæªÀZz\3™ëe$ö*Ý*Üeø
Kj‹ÔŽ.gëNÏ’Õ!6ÐžÜñë‡ñ\ÂÔOÇ*×~GV¬ÿD“À\cW¥„*þ9[ „c£!•"a·4ÀsÌ%¨AýR.)£‘5¸w pD¸;V<Ä•ÞT|bçD*,¶ƒBžŒ¹ªÊÑÐy!õ€ à†‹kÀÊ6©ä$ˆ*NÒKx™¡ü„’Ÿh¨”t)TZ¤FQ·(Ñ|$æAñr¯E¶ýtlsMuÔb¥-£! "Y9µ3T´ÖbÙZ9žwu—u»ƒÕ,“œÂ]ó ñ•¶[¨È=6PbHôØH@Œò
 XŽ6ï#@ÜÐuÿtªãõ.“®#)…§&°ßtèúdª½ xâ
ðíâž‚óÐ&ˆWŒ®,·YSp–nž VV]s—U>`	L†®œ!Ó8•žSû_ßÔUìCAaÐQè«Ñ˜(g1å ØxGÇ+@™‘&u™+ÔºHMtI»	óîGd’wYÕƒ©Ö¹Ï«Ašú…èfK1HÃpO£mxÍëøP½€†Ä^›é0ƒA8KzÂ”ôù“À	u„¬T’úR³êöçf(ïÐU.T%6‰sœD×ç™êv=x;4wm—Ù¸Y_7=É/àamc‰~‚^Y˜XYªÓ¶ ÊÍŠX –-šóžÓÇÔÆÅÜÎ—'pœï€@¹e®o·}õ©¶õR1#ÝgHÌðYN‚ÁÔtñOÄÔ±~Ìhvš*Ú“š"“-5»Û?À6÷eœ…Î]3¿…>,ÉB“¢ é£<e'©áºˆM&6ÛíòÊg©ê”#O«ºµŽXj;p¢ñx2ÂUãnqïÎ¸	
 X $±'¼¾B;“PQL¨QJ@ýëgxÄ˜‘Úx%é8ügA2€Œ/ŽgÎ—Öhš 2¤ì÷ë,~šCÛb61³:!ÂALC1Î`N…t¹›!	ûtzî†j»v2^èsSfÝæ{•8
 XÐ#YmléÅ¤·šÈ”,ôw§ò¾Þüòþê»ë´†JÕ®óºrte_oïë`Bÿ¹q®åébO¾<C±í^†fb`6Á1›‰ð¶o>¡NB\™,î”(I*{x(ŸP<ƒ˜ñIeï_Ê®«1
%"ÈÔXÛ®ëÝâGøÇ—þ¡öøúÍG<KÞ
 X÷Ëè@‚ ,
Ì¢hvÎ;Êî~ÞÅÊÄ\¥,Ü¬Ä3ˆ9=”¨ò	©<ÁP‰¥:àÎÙ.$ÒIxð%IšHÜ]–å#10k™áù/P8Nè''¢:£2s#‹:/¸÷vÀm3M¸ú@m‰ÝH,*éž·v‹DfPáS“.8¼o÷ç¤µGCS;UbA$¥ªÀÈ`èD ÒËb6wëâ{/ð-Àóà¼ûäÂ î¾ƒlosYÚ¹{<wÍáøZ%éêÏMýˆÕLÊ1ÜbÆ9†räLk7ÈÚ€NÄë8tiåè\äçŠJ{¢b¼ IiAÕ FxÌ«#%z
¬×õ®L©ê¤8õ„
Sy{ýqs×}jöû‹ÍÛ²ys]÷uÙU1s d±È	Q†áôíåå¶®OE]}s®‹z{¾¼ë.§WúÅÃpØ§šKÑ»¦%·‘w7q¢j±j9¾ƒ8ÊãÐ >/UNu¬ƒ§à¿)Oçãð_å§¦G#[ŒQ1I¬'ð~{,Ñu¯aÜ¦ÉLpF¢
PU¸áOøîp>6Õ8zp±ù©ZPË×p+âÇ–ø²ä°>%
ÝÙáo>¢8¢–XN8ÞßÊt÷éÚP4^(…À¾ÆMWˆÅØàˆPþ¡‹Ý®¥Š‡R ë%JÙ ñd@†ˆÅIG4osÝTe‡´9<¢Â½Eò›¡ Oã‡Ì
 XTüd`EÆ2ðËÛwW—¨+¥V
 XíµS¬Áï÷û3°T òÛY%œòuÅ<äJ>‡bß®¹'¾×ž7$(ºÀ¾â´ÔûÃiï2ERt0 (;1ˆŽQôòbóf¬µ=¾þP÷ûúË…'Ã‰*-& Æ×Ç¿¼ÿé†²È{S+ŠpÔzïš¾B\Æ8Q;Éí÷ûÓMŒ3ê Ä3[Æ#?q÷Ç¸¯êP ”®Q˜üÊ$åa¸+„ÈKÜ`ÔFÇ1WÊ¥
}îsSáFàtèñ@|èÙEû;ÀMÜþeðÄN…4_Eå,Q@Ž_Bò‚©¶—Uu9l/·mu™²Ñ•<»|
°-HæË¾Ý
eW_6m O¹¤¬º¯ºøiÈM?€?|<Ñÿè.iwê?š“ÃÊ(<™b@×®¶½«y:h8žN…ŒQSw(sâªmw}QÏ®‹ò|ùßPá÷í1î•IË×!õão®>nŽ‡òt±ùîK»m»X Æ/Ã—n›c_Wç®.ÚîþÒ½äE×rµÜõwï´å)„	]›@$¿Od´´ÔÏB¹A'Ÿ—W@©ê}ŠAáƒß½¼íÊchú¹MWV‡@)º6
F,hwÏpbÁºêÚ”é‡Yhi½œÎ®Ú=$úÍí_6úb'ßÀÑáÿëÓP¦
 X5©H€h#ž‰è¦v£¥»]åþ%ð¾bø}ˆ.v`°Í§ö‰³ºÕdvËˆ¿t·±v]Ü8iÙ„¿Œ¦yò·]¹¡"Ð4”˜öÞ{y]ÿvnºI¢²§ät‹ xÒïìñ¢²BÌmðXgš„IÄx/än§Ñ¥P¼ïÂß’x"Fz>²LšTr-ûÔ%›šÊÄYË}ùˆÆË‹Y`ùK0Gà¼Îÿ+4ó c—’£W@á£&È½ir"YÁûscÿLÁRìùŠñÃYJ[â¸ÿT
 X…I
?#†2ký†|ü¾¬Ú»
þ%¦#h‹¹FÓq®r‡6›ŽÅ#âz?«Ž{9^ %ôb?oÝ@)CtµÀ!EÚQRà{†—a.(P0¦Ãwüûþúû”gvÏ™ÄÙH±v¨£òÞ‚lð¹¯¼ÿŽ`ˆSƒSÄ3›zPWu7ŽÄ‚8ÀQh€ö1 v–HÞ•&hàó8h !
g±'4%ÄÇ
84xl4"²Ó¬Õaàô«7bxYM’ö;?¦äþæTWÍÎg*œÿûó>M3ª–ïqÓ‚*Wà(_™+±47<œ’b×e6-<]V·ê4Dxù©îòH ;~-€>¶)è”Jcz³ CÍ¢y£Èg/¨ëÐY´“ö]±¹nÏÃ„€þÐÎ	 äfTöÿ•X%Yš¹ï'Tò‡þ¡ÀŽð}<¿ðf¿Ç€¡DÆÜŸgM¦™¼®ÊßûÙ@sV ‰"Îca%ˆçr ¬ÈJ3å)«™PQdî+`""™Rs_÷³ZÆ§¯ÍÞŽ#ó±ÃçÙÆ©µœ¾Sä,èoôd/:Îy£ÇX{sêšý2×ÓÉs
ý¿·•)À&Í×¡rC?®}ƒ'"ž½6dä³²7˜çÕP»ÑÏÊÝ8¼ùGrª]|[õiÕkb{„æD¯(H ä@·ø;Ì4,)Ç+\`Á#½±A©™´¦$©˜/uî*&˜XÄõ¨Ÿô(ûÿîQÔÇàß&[ôµuœ€‘]9ÐbQF72+B=Šã¸'öæìn}ó-ˆ·¢(PPP-,“:±b"Y@QêÔcs=YuHTŠåX¯9œôãÆÝeŸ§¤¢‘t0L=‡0þ£#È$®§ý×äfKýë‡›uM½ßüP6‡þ/¯Ü°ÍMUnÅÝòÎ¾ùÄ…ÃÔåê®§í¾Aï¾#¦»zèÊêÓFØ‹Ííç B£@èÁA§`Š±õq_vy{¶½ÝüóÅ? _üà¼…rendstream
 Xendobj
 X51 0 obj
 X5121
 Xendobj
 X49 0 obj
 X<<
 X/Type /Page
 X/MediaBox [0 0 612 792]
 X/Parent 2 0 R
 X/Resources << /ProcSet [/PDF /Text]
 X/Font <<
 X/R14 14 0 R
 X/R7 7 0 R
 X/R6 6 0 R
 X>>
 X>>
 X/Contents 50 0 R
 X>>
 Xendobj
 X21 0 obj
 X<</Type/Font/Name/R21/Subtype/Type1/BaseFont/Times-Italic>>
 Xendobj
 X20 0 obj
 X<</Type/Font/Name/R20/Subtype/Type1/BaseFont/Symbol>>
 Xendobj
 X19 0 obj
 X<</Type/Font/Name/R19/Subtype/Type1/BaseFont/Helvetica-Bold>>
 Xendobj
 X18 0 obj
 X<</Type/Font/Name/R18/Subtype/Type1/BaseFont/Courier-Oblique>>
 Xendobj
 X14 0 obj
 X<</Type/Font/Name/R14/Subtype/Type1/BaseFont/Courier>>
 Xendobj
 X7 0 obj
 X<</Type/Font/Name/R7/Subtype/Type1/BaseFont/Times-Roman>>
 Xendobj
 X6 0 obj
 X<</Type/Font/Name/R6/Subtype/Type1/BaseFont/Times-Bold>>
 Xendobj
 X2 0 obj
 X<< /Type /Pages /Kids [
 X3 0 R
 X8 0 R
 X11 0 R
 X15 0 R
 X22 0 R
 X25 0 R
 X28 0 R
 X31 0 R
 X34 0 R
 X37 0 R
 X40 0 R
 X43 0 R
 X46 0 R
 X49 0 R
 X] /Count 14
 X>>
 Xendobj
 X1 0 obj
 X<< /Type /Catalog /Pages 2 0 R
 X>>
 Xendobj
 X52 0 obj
 X<< /CreationDate (D:20010205161435)
 X/Producer (Aladdin Ghostscript 5.50)
 X>>
 Xendobj
 Xxref
 X0 53
 X0000000000 65535 f 
 X0000079316 00000 n 
 X0000079166 00000 n 
 X0000006282 00000 n 
 X0000000015 00000 n 
 X0000006262 00000 n 
 X0000079094 00000 n 
 X0000079021 00000 n 
 X0000014687 00000 n 
 X0000006440 00000 n 
 X0000014666 00000 n 
 X0000018872 00000 n 
 X0000014845 00000 n 
 X0000018851 00000 n 
 X0000078950 00000 n 
 X0000024829 00000 n 
 X0000019044 00000 n 
 X0000024808 00000 n 
 X0000078871 00000 n 
 X0000078793 00000 n 
 X0000078723 00000 n 
 X0000078647 00000 n 
 X0000031498 00000 n 
 X0000025049 00000 n 
 X0000031477 00000 n 
 X0000037929 00000 n 
 X0000031694 00000 n 
 X0000037908 00000 n 
 X0000043703 00000 n 
 X0000038101 00000 n 
 X0000043682 00000 n 
 X0000048847 00000 n 
 X0000043875 00000 n 
 X0000048826 00000 n 
 X0000053610 00000 n 
 X0000049031 00000 n 
 X0000053589 00000 n 
 X0000056211 00000 n 
 X0000053794 00000 n 
 X0000056190 00000 n 
 X0000058698 00000 n 
 X0000056385 00000 n 
 X0000058677 00000 n 
 X0000065627 00000 n 
 X0000058860 00000 n 
 X0000065606 00000 n 
 X0000073089 00000 n 
 X0000065811 00000 n 
 X0000073068 00000 n 
 X0000078475 00000 n 
 X0000073261 00000 n 
 X0000078454 00000 n 
 X0000079365 00000 n 
 Xtrailer
 X<< /Size 53 /Root 1 0 R /Info 52 0 R
 X>>
 Xstartxref
 X79457
 X%%EOF
 END-of-bitlbee/tcp_filtering.pdf
 echo x - bitlbee/Makefile
 sed 's/^X//' >bitlbee/Makefile << 'END-of-bitlbee/Makefile'
 X# New ports collection makefile for:   bitlbee
 X# Date created:        22 July 2003
 X# Whom:                Dusan Marjanovic <dbm@root.co.yu>
 X# $FreeBSD$
 X#
 X
 XPORTNAME=	bitlbee
 XPORTVERSION=	0.80
 XCATEGORIES=	irc
 XMASTER_SITES=	http://www.lintux.cx/downloads/
 X
 XMAINTAINER=	dbm@root.co.yu
 XCOMMENT=	An IRC to other chat networks gateway
 X
 XMAN8=		bitlbee.8
 XMAN8PREFIX=	${PREFIX}/share/
 XUSE_GMAKE=	yes
 XHAS_CONFIGURE=	yes
 X.include <bsd.port.mk>
 END-of-bitlbee/Makefile
 echo x - bitlbee/distinfo
 sed 's/^X//' >bitlbee/distinfo << 'END-of-bitlbee/distinfo'
 XMD5 (bitlbee-0.80.tar.gz) = 96d947bef8c6c40c865beaeee59737eb
 END-of-bitlbee/distinfo
 echo x - bitlbee/pkg-descr
 sed 's/^X//' >bitlbee/pkg-descr << 'END-of-bitlbee/pkg-descr'
 XThis is port of bitlbee, An IRC to other chat networks
 Xgateway. Bitlbee supports a wide range of different IM protocols like
 Xjabber, icq, msn...
 X
 XWWW: http://www.lintux.cx/bitlbee.html
 X
 X- Dusan Marjanovic
 Xdbm@root.co.yu
 END-of-bitlbee/pkg-descr
 echo x - bitlbee/pkg-plist
 sed 's/^X//' >bitlbee/pkg-plist << 'END-of-bitlbee/pkg-plist'
 Xshare/bitlbee/help.txt
 Xsbin/bitlbee
 Xetc/motd.txt
 X@dirrm share/bitlbee
 END-of-bitlbee/pkg-plist
 exit
 --- bitlbee-0.80.shar ends here ---

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030725004232.AEC89621B>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation