Massive replacement of 'fw' with '' in the Documentation

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2025-01-18 03:29:12 +01:00 · 2005-09-12 18:43:26 +00:00 · 2005-09-12 18:43:26 +00:00 · 23b0f37ec2
commit 23b0f37ec2
parent 72c5855827
21 changed files with 313 additions and 431 deletions
--- a/Shorewall-docs2/Actions.xml
+++ b/Shorewall-docs2/Actions.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-08-28</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2005</year>
@ -221,6 +221,12 @@ Reject:REJECT   #Common Action for REJECT policy</programlisting>
        a log level. This will log to the ULOG target for routing to a
        separate log through use of ulogd (<ulink
        url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
        <para>You may also use a <ulink url="Macros.html">macro</ulink> in
        your action provided that the macro's expansion only results in the
        ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
        <filename>/usr/share/shorewall/Drop</filename> for an example of an
        action that users macros extensively.</para>
      </listitem>
      <listitem>
@ -369,7 +375,7 @@ Reject:REJECT   #Common Action for REJECT policy</programlisting>
    might do something like:</para>
    <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
-LogAndAccept loc         fw          tcp      22</programlisting>
+LogAndAccept loc         $FW         tcp      22</programlisting>
  </section>
  <section>
@ -399,7 +405,7 @@ bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
-foo:debug    fw         net</programlisting>
+foo:debug    $FW         net</programlisting>
        <para>Logging in the invoke 'foo' action will be as if foo had been
        defined as:</para>
@ -424,7 +430,7 @@ bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
-foo:debug!    fw         net</programlisting>
+foo:debug!   $FW        net</programlisting>
        <para>Logging in the invoke 'foo' action will be as if foo had been
        defined as:</para>
@ -463,7 +469,7 @@ bar:debug</programlisting>
    <para><filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION          SOURCE           DEST
-acton:info:test  fw               net</programlisting>
+acton:info:test  $FW              net</programlisting>
    <para>Your /etc/shorewall/acton file will be run with:</para>
--- a/Shorewall-docs2/Documentation.xml
+++ b/Shorewall-docs2/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-08</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -1366,7 +1366,7 @@ loc        loc       REJECT    info</programlisting>
      <para><filename>/etc/shorewall/zones</filename>:</para>
      <programlisting>#ZONE    TYPE        OPTION
-fw       firewall
+$FW      firewall
 sam      plain
 net      plain
 loc      plain</programlisting>
@ -1434,7 +1434,7 @@ DNAT      net       loc:192.168.1.5 tcp      www
      <programlisting>#ACTION   SOURCE    DEST            PROTO    DEST PORT(S)
 ...
-DNAT      sam       fw              tcp      ssh
+DNAT      sam       $FW             tcp      ssh
 DNAT      net       loc:192.168.1.3 tcp      ssh
 ...</programlisting>
@ -2046,7 +2046,7 @@ DNAT&lt;4/min:8&gt;  net         loc:192.168.1.3  tcp        ssh</programlisting
      <programlisting>#ACTION  SOURCE  DEST   PROTO   DEST PORT(S)   SOURCE   ORIGINAL
 #                                              PORT(S)  DEST
 REDIRECT loc     3128   tcp     www            -        !206.124.146.177
-ACCEPT   fw      net    tcp     www</programlisting>
+ACCEPT   $FW     net    tcp     www</programlisting>
    </example>
    <example>
@ -2166,7 +2166,7 @@ DNAT     net      loc:192.168.1.101-192.168.1.109 tcp   80</programlisting>
 NONAT    loc:192.168.1.4,192.168.1.199 \
                 net    tcp     www
 REDIRECT loc     3128   tcp     www            -
-ACCEPT   fw      net    tcp     www</programlisting>
+ACCEPT   $FW     net    tcp     www</programlisting>
      <para>The reason that NONAT is used in the above example rather than
      ACCEPT+ is that the example is assuming the usual ACCEPT loc-&gt;net
@ -3244,16 +3244,6 @@ eth0                  eth1            206.124.146.176</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>FW</term>
        <listitem>
          <para>This parameter specifies the name of the firewall zone. If not
          set or if set to an empty string, the value <quote>fw</quote> is
          assumed.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>SUBSYSLOCK</term>
@ -4093,4 +4083,4 @@ eth1                -</programlisting>
        </revision>
      </revhistory></para>
  </appendix>
-</article>
+</article>
--- a/Shorewall-docs2/IPSEC-2.6.xml
+++ b/Shorewall-docs2/IPSEC-2.6.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-03</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2004</year>
@ -388,17 +388,6 @@ spdadd 134.28.54.2/32   206.162.148.9/32 any -P in  ipsec esp/tunnel/134.28.54.2
    <para>The <filename>setkey.conf</filename> file on gateway B would be
    similar.</para>
    <caution>
      <para>If you are running kernel 2.6.10 or later, then you need
      ipsec-tools (and racoon) 0.5 or later OR you need to add <emphasis
      role="bold">-P fwd</emphasis> rules (duplicate each <emphasis
      role="bold">-P in</emphasis> rule and replace the <emphasis
      role="bold">in</emphasis> with <emphasis role="bold">fwd</emphasis>) --
      as of this writing (2005-02028, the IPSEC HOWTO (<ulink
      url="http://www.ipsec-howto.org/x277.html">http://www.ipsec-howto.org/x277.html</ulink>)
      is inaccurate on this point.</para>
    </caution>
    <para>A sample <filename>/etc/racoon/racoon.conf</filename> file using
    X.509 certificates might look like:</para>
@ -779,8 +768,8 @@ loc             eth0:192.168.20.0/24
      <para><filename>/etc/shorewall/policy</filename>:</para>
      <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
-fw              all             ACCEPT
+$FW             all             ACCEPT
-loc             fw              ACCEPT
+loc             $FW             ACCEPT
 net             loc             NONE
 loc             net             NONE
 net             all             DROP            info
--- a/Shorewall-docs2/Introduction.xml
+++ b/Shorewall-docs2/Introduction.xml
@ -13,7 +13,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2005-08-30</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2003-2005</year>
@ -132,11 +132,10 @@ dmz                    Demilitarized Zone</programlisting>
    class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
    file.</para>
-    <para>Shorewall also recognizes the firewall system as its own zone - by
+    <para>Note that Shorewall recognizes the firewall system as its own zone.
-    default, the firewall itself is known as <emphasis
+    The name of the zone designating the firewall itself is stored in the
-    role="bold"><varname>fw</varname></emphasis> but that may be changed by
+    shell variable $<firstterm>FW</firstterm> which may be used throughout the
-    setting the FW option in <ulink
+    Shorewall configuration to refer to the firewall zone.</para>
    url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones. <itemizedlist spacing="compact">
@ -207,7 +206,7 @@ all        all         REJECT      info</programlisting>In the three-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the internet, uncomment
    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
-fw         net         ACCEPT</programlisting> The above policy will:
+$FW        net         ACCEPT</programlisting> The above policy will:
    <itemizedlist>
        <listitem>
          <para>Allow all connection requests from your local network to the
@ -255,7 +254,7 @@ dmz        eth2          detect</programlisting>
    <programlisting>#ACTION    SOURCE        DEST      PROTO      DEST
 #                                             PORT(S)
-ACCEPT     net           fw        tcp        22</programlisting>
+ACCEPT     net           $FW       tcp        22</programlisting>
    <para>So although you have a policy of ignoring all connection attempts
    from the net zone (from the internet), the above exception to that policy
--- a/Shorewall-docs2/Macros.xml
+++ b/Shorewall-docs2/Macros.xml
@ -21,7 +21,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-08-22</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2005</year>
@ -40,6 +40,13 @@
    </legalnotice>
  </articleinfo>
  <caution>
    <para><emphasis role="bold">This article applies to Shorewall 3.0 and
    later. If you are running a version of Shorewall earlier than Shorewall
    3.0.0 then please see the documentation for that
    release.</emphasis></para>
  </caution>
  <section>
    <title>What are Shorewall Macros?</title>
@ -47,8 +54,9 @@
    series of one or more iptables rules. The symbolic name may appear in the
    ACTION column of an <filename><ulink
    url="Documentation.htm#Rules">/etc/shorewall/rules</ulink></filename> file
-    entry in which case, the traffic matching that rules file entry will be
+    entry and in the TARGET column of an action in which case, the traffic
-    passed to the series of iptables rules named by the action.</para>
+    matching that rules file entry will be passed to the series of iptables
    rules named by the macro.</para>
    <para>Macros can be thought of as templates. When a macro is invoked in an
    <filename>/etc/shorewall/rules</filename> entry, it may be qualified by a
@ -57,30 +65,22 @@
    which each packet/rule match within the macro causes a log message to be
    generated.</para>
-    <para>There are three types of Shorewall macros:</para>
+    <para>There are two types of Shorewall macros:</para>
    <orderedlist>
      <listitem>
-        <para>Built-in Macros. These macros are known by the Shorewall code
+        <para>Standard Macros. These macros are released as part of Shorewall.
-        itself. They are listed in the comments at the top of the file
+        They are defined in macros.* files in <filename
        <filename>/usr/share/shorewall/actions.std</filename>.</para>
      </listitem>
      <listitem>
        <para>Standard Macros. These actions are released as part of
        Shorewall. They are listed in the file
        <filename>/usr/share/shorewall/actions.std</filename> and are defined
        in the corresponding macros.* files in <filename
        class="directory">/usr/share/shorewall</filename>. Each
        <filename>macros.*</filename> file has a comment at the beginning of
-        the file that describes what the action does. As an example, here is
+        the file that describes what the macro does. As an example, here is
-        the definition of the <firstterm>AllowSMB</firstterm> standard
+        the definition of the <firstterm>SMB</firstterm> standard
        macro.</para>
        <programlisting>#
 # Shorewall 2.2 /usr/share/shorewall/macro.AllowSMB
 #
-#       Allow Microsoft SMB traffic. You need to invoke this action in
+#       Allow Microsoft SMB traffic. You need to invoke this macro in
 #       both directions.
 #
 ######################################################################################
@ -100,126 +100,97 @@ PARAM    -              -               tcp     135,139,445
      <listitem>
        <para>User-defined Macros. These macros are created by end-users. They
-        are listed in the file /etc/shorewall/actions and are defined in
+        are defined in macros.* files in /etc/shorewall or in another
-        macros.* files in /etc/shorewall/actions or in another directory
+        directory listed in your CONFIG_PATH (defined in <ulink
        listed in your CONFIG_PATH (defined in <ulink
        url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>).</para>
      </listitem>
    </orderedlist>
  </section>
  <section>
    <title>Common Actions</title>
    <para>Shorewall allows the association of a <firstterm>common
    action</firstterm> with policies. A separate common action may be
    associated with ACCEPT, DROP and REJECT policies. Common actions provide a
    way to invoke a set of common rules just before the policy is enforced.
    Common actions accomplish two goals:</para>
    <orderedlist>
      <listitem>
        <para>Relieve log congestion. Common actions typically include rules
        to silently drop or reject traffic that would otherwise be logged when
        the policy is enforced.</para>
      </listitem>
      <listitem>
        <para>Ensure correct operation. Common actions can also avoid common
        pitfalls like dropping connection requests on port TCP port 113. If
        these connections are dropped (rather than rejected) then you may
        encounter problems connecting to internet services that utilize the
        AUTH protocol of client authentication<footnote>
            <para>AUTH is actually pretty silly on today's internet but it's
            amazing how many servers still employ it.</para>
          </footnote>.</para>
      </listitem>
    </orderedlist>
    <para>Shorewall provides common actions for the REJECT and DROP policies.
    The common action for REJECT is named <firstterm>Reject</firstterm> and
    the common action for DROP is named <firstterm>Drop</firstterm>. These
    associations are made through two entries in
    /usr/share/shorewall/actions.std:</para>
    <programlisting>Drop:DROP       #Common Action for DROP policy
 Reject:REJECT   #Common Action for REJECT policy</programlisting>
    <para>These may be overridden by entries in your /etc/shorewall/actions
    file.</para>
    <warning>
      <para>Entries in the DROP and REJECT common actions <emphasis
      role="bold">ARE NOT THE CAUSE OF CONNECTION PROBLEMS</emphasis>.
      Remember — common actions are only invoked immediately before the packet
      is going to be dropped or rejected anyway!!!</para>
    </warning>
  </section>
  <section>
    <title>Defining your own Macros</title>
-    <para>To define a new action:</para>
+    <para>To define a new macro:</para>
    <orderedlist>
      <listitem>
-        <para>Add a line to
+        <para>Macro names must be valid shell variable names ((must begin with
-        <filename><filename>/etc/shorewall/actions</filename></filename> that
+        a letter and be composed of letters, digits and underscore characters)
-        names your new action. Action names must be valid shell variable names
+        as well as valid Netfilter chain names.</para>
        ((must begin with a letter and be composed of letters, digits and
        underscore characters) as well as valid Netfilter chain names. If you
        intend to log from the action, the name must have a maximum of 11
        characters. It is recommended that the name you select for a new
        action begins with a capital letter; that way, the name won't conflict
        with a Shorewall-defined chain name.</para>
        <para>Beginning with Shorewall-2.0.0-Beta1, the name of the action may
        be optionally followed by a colon (<quote>:</quote>) and ACCEPT, DROP
        or REJECT. When this is done, the named action will become the
        <emphasis>common action </emphasis>for policies of type ACCEPT, DROP
        or REJECT respectively. The common action is applied immediately
        before the policy is enforced (before any logging is done under that
        policy) and is used mainly to suppress logging of uninteresting
        traffic which would otherwise clog your logs. The same policy name can
        appear in multiple actions; the last such action for each policy name
        is the one which Shorewall will use.</para>
        <para>Shorewall includes pre-defined actions for DROP and REJECT --
        see above.</para>
      </listitem>
      <listitem>
-        <para>Once you have defined your new action name (ActionName), then
+        <para>Copy /usr/share/shorewall/macro.template to
-        copy /usr/share/shorewall/action.template to
+        <filename>/etc/shorewall/macro.ActionName</filename> (for example, if
-        <filename>/etc/shorewall/action.ActionName</filename> (for example, if
+        your new macro name is <quote>Foo</quote> then copy
-        your new action name is <quote>Foo</quote> then copy
+        <filename>/usr/share/shorewall/macro.template</filename> to
-        <filename>/usr/share/shorewall/action.template</filename> to
+        <filename>/etc/shorewall/macro.Foo</filename>).</para>
        <filename>/etc/shorewall/action.Foo</filename>).</para>
      </listitem>
      <listitem>
-        <para>Now modify the new file to define the new action.</para>
+        <para>Now modify the new file to define the new macro.</para>
      </listitem>
    </orderedlist>
-    <para>Columns in the action.template file are as follows:</para>
+    <para>Columns in the macro.template file are as follows:</para>
    <itemizedlist>
      <listitem>
-        <para>TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
+        <para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
-        &lt;<emphasis>action</emphasis>&gt; where
+        LOG, QUEUE, PARAM or an action name.</para>
-        &lt;<emphasis>action</emphasis>&gt; is a previously-defined action
+
-        (that is, it must precede the action being defined in this file in
+        <simplelist>
-        your <filename>/etc/shorewall/actions</filename> file). These actions
+          <member>ACCEPT - allow the connection request</member>
-        have the same meaning as they do in the
+
-        <filename>/etc/shorewall/rules</filename> file (CONTINUE terminates
+          <member>ACCEPT+ - like ACCEPT but also excludes the connection from
-        processing of the current action and returns to the point where that
+          any subsequent DNAT[-] or REDIRECT[-] rules.</member>
-        action was invoked). The TARGET may optionally be followed by a colon
+
-        (<quote>:</quote>) and a syslog log level (e.g, REJECT:info or
+          <member>NONAT - Excludes the connection from any subsequent DNAT[-]
-        ACCEPT:debugging). This causes the packet to be logged at the
+          or REDIRECT[-] rules but doesn't generate a rule to accept the
-        specified level. You may also specify ULOG (must be in upper case) as
+          traffic.</member>
-        a log level. This will log to the ULOG target for routing to a
+
-        separate log through use of ulogd (<ulink
+          <member>DROP - ignore the request</member>
          <member>REJECT - disallow the request and return an icmp unreachable
          or an RST packet.</member>
          <member>DNAT - Forward the request to another address (and
          optionally another port).</member>
          <member>DNAT- - Advanced users only. Like DNAT but only generates
          the DNAT iptables rule and not the companion ACCEPT rule.</member>
          <member>SAME - Similar to DNAT except that the port may not be
          remapped and when multiple server addresses are listed, all requests
          from a given remote system go to the same server.</member>
          <member>SAME- - Advanced users only. Like SAME but only generates
          the SAME iptables rule and not the companion ACCEPT rule.</member>
          <member>REDIRECT - Redirect the request to a local port on the
          firewall.</member>
          <member>REDIRECT- - Advanced users only. Like REDIRET but only
          generates the REDIRECT iptables rule and not the companion ACCEPT
          rule.</member>
          <member>CONTINUE - (For experts only). Do not process any of the
          following rules for this (source zone,destination zone). If The
          source and/or destination If the address falls into a zone defined
          later in /etc/shorewall/zones, this connection request will be
          passed to the rules defined for that (those) zone(s).</member>
          <member>LOG - Simply log the packet and continue.</member>
          <member>QUEUE - Queue the packet to a user-space application such as
          ftwall (http://p2pwall.sf.net).</member>
        </simplelist>
        <para>The ACTION may optionally be followed by ":" and a syslog log
        level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
        logged at the specified level.</para>
        <para>(<ulink
        url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
      </listitem>
@ -360,156 +331,77 @@ Reject:REJECT   #Common Action for REJECT policy</programlisting>
    <para>Example:</para>
-    <para><filename>/etc/shorewall/actions</filename>:</para>
+    <para><phrase><filename>/etc/shorewall/macro.LogAndAccept</filename></phrase><programlisting>     LOG:info
    <para><programlisting>     LogAndAccept</programlisting><phrase><filename>/etc/shorewall/action.LogAndAccept</filename></phrase><programlisting>     LOG:info
     ACCEPT</programlisting></para>
-    <para>To use your action, in <filename>/etc/shorewall/rules</filename> you
+    <para>To use your macro, in <filename>/etc/shorewall/rules</filename> you
    might do something like:</para>
    <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
-LogAndAccept loc         fw          tcp      22</programlisting>
+LogAndAccept loc         $FW         tcp      22</programlisting>
  </section>
  <section>
-    <title>Actions and Logging</title>
+    <title>Macros and Logging</title>
-    <para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
+    <para>Specifying a log level in a rule that invokes a user- or
-    log tag) on a rule that specified a user-defined (or Shorewall-defined)
+    Shorewall-defined action will cause each rule in the macro to be logged
-    action would log all traffic passed to the action. Beginning with
+    with the specified level (and tag).</para>
    Shorewall 2.1.2, specifying a log level in a rule that specifies a user-
    or Shorewall-defined action will cause each rule in the action to be
    logged with the specified level (and tag).</para>
-    <para>The extent to which logging of action rules occur is governed by the
+    <para>The extent to which logging of macro rules occur is governed by the
    following:</para>
    <orderedlist>
      <listitem>
-        <para>When you invoke an action and specify a log level, only those
+        <para>When you invoke a macro and specify a log level, only those
-        rules in the action that have no log level will be changed to log at
+        rules in the macro that have no log level will be changed to log at
        the level specified at the action invocation.</para>
        <para>Example:</para>
-        <para>/etc/shorewall/action.foo</para>
+        <para>/etc/shorewall/macro.foo</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
-foo:debug    fw         net</programlisting>
+foo:debug    $FW        net</programlisting>
-        <para>Logging in the invoke 'foo' action will be as if foo had been
+        <para>Logging in the invokeD 'foo' macro will be as if foo had been
        defined as:</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT:debug -          -        tcp      22
 bar:info</programlisting>
      </listitem>
      <listitem>
        <para>If you follow the log level with "!" then logging will be at
-        that level for all rules recursively invoked by the action.</para>
+        that level for all rules recursively invoked by the macro.</para>
        <para>Example:</para>
-        <para>/etc/shorewall/action.foo</para>
+        <para>/etc/shorewall/macro.foo</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT       -          -        tcp      22
 bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
-foo:debug!    fw         net</programlisting>
+foo:debug!   $FW        net</programlisting>
-        <para>Logging in the invoke 'foo' action will be as if foo had been
+        <para>Logging in the invoked 'foo' macro will be as if foo had been
        defined as:</para>
-        <programlisting>#TARGET      SOURCE     DEST     PROTO    DEST PORT(S)
+        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
 ACCEPT:debug -          -        tcp      22
 bar:debug</programlisting>
      </listitem>
    </orderedlist>
    <para>The change in Shorewall 2.1.2 has an effect on extension scripts
    used with user-defined actions. If you define an action 'acton' and you
    have an <filename>/etc/shorewall/acton</filename> script then when that
    script is invoked, the following three variables will be set for use by
    the script:</para>
    <itemizedlist>
      <listitem>
        <para>$CHAIN = the name of the chain where your rules are to be
        placed. When logging is used on an action invocation, Shorewall
        creates a chain with a slightly different name from the action
        itself.</para>
      </listitem>
      <listitem>
        <para>$LEVEL = Log level. If empty, no logging was specified.</para>
      </listitem>
      <listitem>
        <para>$TAG = Log Tag.</para>
      </listitem>
    </itemizedlist>
    <para>Example:</para>
    <para><filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION          SOURCE           DEST
 acton:info:test  fw               net</programlisting>
    <para>Your /etc/shorewall/acton file will be run with:</para>
    <itemizedlist>
      <listitem>
        <para>$CHAIN="%acton1"</para>
      </listitem>
      <listitem>
        <para>$LEVEL="info"</para>
      </listitem>
      <listitem>
        <para>$TAG="test"</para>
      </listitem>
    </itemizedlist>
    <para>For an example of how to use these variables, see <ulink
    url="PortKnocking.html">this article</ulink>.</para>
  </section>
  <section id="Extension">
    <title>Creating an Action using an Extension Script</title>
    <para>There may be cases where you wish to create a chain with rules that
    can't be constructed using the tools defined in the action.template. In
    that case, you can use an extension script.<note>
        <para>If you actually need an action to drop broadcast packets, use
        the <command>dropBcast</command> standard action rather than create
        one like this.</para>
      </note></para>
    <example>
      <title>An action to drop all broadcast packets</title>
      <para>/etc/shorewall/actions<programlisting>DropBcasts</programlisting></para>
      <para>/etc/shorewall/action.DropBcasts<programlisting># This file is empty</programlisting></para>
      <para>/etc/shorewall/DropBcasts<programlisting>run_iptables -A DropBcasts -m pkttype --pkttype broadcast -j DROP</programlisting></para>
    </example>
    <para>For a richer example, see <ulink url="PortKnocking.html">this
    article</ulink>.</para>
  </section>
 </article>
--- a/Shorewall-docs2/PortKnocking.xml
+++ b/Shorewall-docs2/PortKnocking.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-06-26</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2005</year>
@ -97,13 +97,13 @@ run_iptables -A $CHAIN -p tcp --dport 1601 -m recent                       --nam
        <filename>/etc/shorewall/rules</filename>:</para>
        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
-SSHKnock         net               fw             tcp         22,1599,1600,1601</programlisting>
+SSHKnock         net               $FW            tcp         22,1599,1600,1601</programlisting>
        <para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
        can just add a log level as in:</para>
        <programlisting>#ACTION          SOURCE            DEST           PROTO       DEST PORT(S)
-SSHKnock:info    net               fw             tcp         22,1599,1600,1601</programlisting>
+SSHKnock:info    net               $FW            tcp         22,1599,1600,1601</programlisting>
      </listitem>
      <listitem>
@ -115,7 +115,7 @@ SSHKnock:info    net               fw             tcp         22,1599,1600,1601<
        <programlisting>#ACTION          SOURCE            DEST            PROTO       DEST PORT(S)  SOURCE      ORIGINAL
 #                                                                            PORT(S)     DEST
 DNAT-            net               loc:192.168.1.5 tcp         22            -           206.124.146.178
-SSHKnock         net               fw              tcp         1599,1600,1601
+SSHKnock         net               $FW             tcp         1599,1600,1601
 SSHKnock         net               loc:192.168.1.5 tcp         22            -           206.124.146.178</programlisting>
        <note>
--- a/Shorewall-docs2/Shorewall_Squid_Usage.xml
+++ b/Shorewall-docs2/Shorewall_Squid_Usage.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-06-01</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2003-2005</year>
@ -150,7 +150,7 @@
      <programlisting>#ACTION   SOURCE     DEST     PROTO    DEST PORT(S)     SOURCE     ORIGINAL
 #                                                       PORT(S)    DEST
 REDIRECT  loc        3128     tcp      www              -          !206.124.146.177
-ACCEPT    fw         net      tcp      www</programlisting>
+ACCEPT    $FW        net      tcp      www</programlisting>
      <para>There may be a requirement to exclude additional destination hosts
      or networks from being redirected. For example, you might also want
@ -218,7 +218,7 @@ fi</command>          </programlisting>
          <para>Add this entry to your /etc/shorewall/providers file.</para>
          <programlisting>#NAME   NUMBER  MARK    DUPLICATE       INTERFACE       GATEWAY         OPTIONS
-Squid   1       202     -               eth1            192.168.1.3     -</programlisting>
+Squid   1       202     -               eth1            192.168.1.3     loose</programlisting>
        </listitem>
      </orderedlist>
@ -308,8 +308,8 @@ ACCEPT    SZ       net    tcp     80,443</programlisting>
      <quote>loc</quote> zone:</title>
      <para><filename>/etc/shorewall/rules:</filename> <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)
-ACCEPT    loc      fw     tcp      8080
+ACCEPT    loc      $FW    tcp      8080
-ACCEPT    fw       net    tcp      80,443</programlisting></para>
+ACCEPT    $FW      net    tcp      80,443</programlisting></para>
    </example>
  </section>
-</article>
+</article>
--- a/Shorewall-docs2/Shorewall_and_Kazaa.xml
+++ b/Shorewall-docs2/Shorewall_and_Kazaa.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-03</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2003-2005</year>
@ -56,7 +56,7 @@
  <programlisting>        #ACTION SOURCE     DEST       PROTO
        QUEUE   loc        net        tcp
        QUEUE   loc        net        udp
-        QUEUE   loc        fw         udp</programlisting>
+        QUEUE   loc        $FW        udp</programlisting>
  <para>Now simply configure ftwall as described in the ftwall documentation
  and restart Shorewall.</para>
--- a/Shorewall-docs2/UPnP.xml
+++ b/Shorewall-docs2/UPnP.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-05-16</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2005</year>
@ -109,7 +109,7 @@ net     eth1            detect          dhcp,routefilter,norfc1918,tcpflags,<emp
    rule:</para>
    <programlisting>#ACTION            SOURCE  DEST
-allowoutUPnP       fw      loc</programlisting>
+allowoutUPnP       $FW     loc</programlisting>
    <note>
      <para>To use 'allowoutUPnP', your iptables and kernel must support the
@ -121,7 +121,7 @@ allowoutUPnP       fw      loc</programlisting>
    rule:</para>
    <programlisting>#ACTION            SOURCE  DEST
-allowinUPnP        loc     fw</programlisting>
+allowinUPnP        loc     $FW</programlisting>
    <para>You MUST have this rule:</para>
--- a/Shorewall-docs2/User_defined_Actions.xml
+++ b/Shorewall-docs2/User_defined_Actions.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-01-14</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2003</year>
@ -257,7 +257,7 @@
    might do something like:</para>
    <programlisting>#ACTION      SOURCE      DEST        PROTO    DEST PORT(S)
-LogAndAccept loc         fw          tcp      22</programlisting>
+LogAndAccept loc         $FW         tcp      22</programlisting>
    <para>Prior to Shorewall 2.1.2, specifying a log level (and optionally a
    log tag) on a rule that specified a user-defined (or Shorewall-defined)
@ -286,7 +286,7 @@ bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
-foo:debug    fw         net</programlisting>
+foo:debug    $FW        net</programlisting>
        <para>Logging in the invoke 'foo' action will be as if foo had been
        defined as:</para>
@ -311,7 +311,7 @@ bar:info</programlisting>
        <para>/etc/shorewall/rules:</para>
        <programlisting>#ACTION      SOURCE     DEST     PROTO    DEST PORT(S)
-foo:debug!    fw         net</programlisting>
+foo:debug!    $FW        net</programlisting>
        <para>Logging in the invoke 'foo' action will be as if foo had been
        defined as:</para>
@ -350,7 +350,7 @@ bar:debug</programlisting>
    <para><filename>/etc/shorewall/rules</filename>:</para>
    <programlisting>#ACTION          SOURCE           DEST
-acton:info:test  fw               net</programlisting>
+acton:info:test  $FW              net</programlisting>
    <para>Your /etc/shorewall/acton file will be run with:</para>
@ -383,7 +383,7 @@ acton:info:test  fw               net</programlisting>
      your firewall. In <filename>/etc/shorewall/rules</filename>:</para>
      <programlisting>#ACTION   SOURCE      DEST        PROTO    ...
-AllowFTP  loc         fw</programlisting>
+AllowFTP  loc         $FW</programlisting>
    </example>
    <para><filename>/usr/share/shorewall/actions.std</filename> is processed
--- a/Shorewall-docs2/configuration_file_basics.xml
+++ b/Shorewall-docs2/configuration_file_basics.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-08-28</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -230,7 +230,7 @@
      <title>Comments in a Configuration File</title>
      <programlisting># This is a comment
-ACCEPT  net     fw      tcp     www     #This is an end-of-line comment</programlisting>
+ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</programlisting>
    </example>
  </section>
@ -244,7 +244,7 @@ ACCEPT  net     fw      tcp     www     #This is an end-of-line comment</program
    <example>
      <title>Line Continuation</title>
-      <programlisting>ACCEPT  net     fw      tcp \
+      <programlisting>ACCEPT  net     $FW      tcp \
 smtp,www,pop3,imap  #Services running on the firewall</programlisting>
    </example>
  </section>
--- a/Shorewall-docs2/ipsets.xml
+++ b/Shorewall-docs2/ipsets.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-07-27</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2005</year>
@ -112,7 +112,7 @@
    <para>Example 2: Allow SSH from all hosts in an ipset named "sshok:</para>
    <para><filename>/etc/shorewall/rules</filename><programlisting>#ACTION      SOURCE      DEST     PROTO    DEST PORT(S)
-ACCEPT       +sshok      fw       tcp      22</programlisting></para>
+ACCEPT       +sshok      $FW      tcp      22</programlisting></para>
    <para>Shorewall can automatically manage the contents of your ipsets for
    you. If you specify SAVE_IPSETS=Yes in /etc/shorewall/shorewall.conf then
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-04-15</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -333,7 +333,7 @@ $WIFI_IF        192.168.3.0/24
      <blockquote>
        <programlisting>#SOURCE         DESTINATION     POLICY          LOG LEVEL       BURST:LIMIT
-fw              fw              ACCEPT
+$FW             $FW             ACCEPT
 loc             net             ACCEPT
 $FW             vpn             ACCEPT
 vpn             net             ACCEPT
@ -342,14 +342,14 @@ sec             vpn             ACCEPT
 vpn             sec             ACCEPT
 sec             loc             ACCEPT
 loc             sec             ACCEPT
-fw              sec             ACCEPT
+$FW             sec             ACCEPT
 sec             net             ACCEPT
 Wifi            sec             NONE
 sec             Wifi            NONE
-fw              Wifi            ACCEPT
+$FW             Wifi            ACCEPT
 loc             vpn             ACCEPT
 $FW             loc             ACCEPT
-loc             fw              REJECT          $LOG
+loc             $FW             REJECT          $LOG
 net             all             DROP            $LOG            10/sec:40
 all             all             REJECT          $LOG
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -514,23 +514,23 @@ REDIRECT        sec                             3128                    tcp
 #####
 # Local Network to Firewall 
 #
-DROP            loc:!192.168.0.0/22             fw                      # Silently drop traffic with an HP source IP from my XP box
+DROP            loc:!192.168.0.0/22             $FW                     # Silently drop traffic with an HP source IP from my XP box
-ACCEPT          loc                             fw                      tcp     ssh,time,631,8080
+ACCEPT          loc                             $FW                     tcp     ssh,time,631,8080
-ACCEPT          loc                             fw                      udp     161,ntp,631
+ACCEPT          loc                             $FW                     udp     161,ntp,631
-DROP            loc                             fw                      tcp     3185          #SuSE Meta pppd
+DROP            loc                             $FW                     tcp     3185          #SuSE Meta pppd
 ##########################################################################################################################################################################
 #####
 # Secure wireless to Firewall 
 #
-ACCEPT          sec                             fw                      tcp     ssh,time,631,8080
+ACCEPT          sec                             $FW                     tcp     ssh,time,631,8080
-ACCEPT          sec                             fw                      udp     161,ntp,631
+ACCEPT          sec                             $FW                     udp     161,ntp,631
-DROP            sec                             fw                      tcp     3185          #SuSE Meta pppd
+DROP            sec                             $FW                     tcp     3185          #SuSE Meta pppd
 ##########################################################################################################################################################################
 #####
 # Roadwarriors to Firewall 
 #
-ACCEPT          vpn                             fw                      tcp     ssh,time,631,8080
+ACCEPT          vpn                             $FW                     tcp     ssh,time,631,8080
-ACCEPT          vpn                             fw                      udp     161,ntp,631
+ACCEPT          vpn                             $FW                     udp     161,ntp,631
 ##########################################################################################################################################################################
 #####
 # Local Network to DMZ
@ -561,7 +561,7 @@ ACCEPT          vpn                             dmz                     tcp
 #####
 # Internet to ALL -- drop NewNotSyn packets
 #
-dropNotSyn      net             fw              tcp
+dropNotSyn      net             $FW             tcp
 dropNotSyn      net             loc             tcp
 dropNotSyn      net             dmz             tcp
@ -632,10 +632,10 @@ ACCEPT:$LOG     dmz                             net                     tcp
 #####
 # DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
 #
-ACCEPT          dmz                             fw                      udp     ntp                                     ntp
+ACCEPT          dmz                             $FW                     udp     ntp                                     ntp
-ACCEPT          dmz                             fw                      tcp     161,ssh
+ACCEPT          dmz                             $FW                     tcp     161,ssh
-ACCEPT          dmz                             fw                      udp     161
+ACCEPT          dmz                             $FW                     udp     161
-REJECT          dmz                             fw                      tcp     auth
+REJECT          dmz                             $FW                     tcp     auth
 ##########################################################################################################################################################################
 #####
 # DMZ to Local Network  
@ -647,29 +647,29 @@ ACCEPT          dmz:206.124.146.177             loc:192.168.1.5         udp
 #####
 # Internet to Firewall
 #
-REJECT          net                             fw                      tcp     www,ftp,https
+REJECT          net                             $FW                     tcp     www,ftp,https
 ACCEPT          net                             dmz                     udp     33434:33454
-ACCEPT          net:$OMAK                       fw                      udp     ntp
+ACCEPT          net:$OMAK                       $FW                     udp     ntp
-ACCEPT          net:$OMAK                       fw                      tcp     22      #SSH from Omak
+ACCEPT          net:$OMAK                       $FW                     tcp     22      #SSH from Omak
 ##########################################################################################################################################################################
 #####
 # Firewall to Internet
 #
-ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
+ACCEPT          $FW                             net:$NTPSERVERS         udp     ntp                                     ntp
-#ACCEPT         fw                              net:$POPSERVERS         tcp     pop3
+#ACCEPT         $FW                             net:$POPSERVERS         tcp     pop3
-ACCEPT          fw                              net                     udp     domain
+ACCEPT          $FW                             net                     udp     domain
-ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
+ACCEPT          $FW                             net                     tcp     domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
-ACCEPT          fw                              net                     udp     33435:33535
+ACCEPT          $FW                             net                     udp     33435:33535
-ACCEPT          fw                              net                     icmp
+ACCEPT          $FW                             net                     icmp
-REJECT:$LOG     fw                              net                     udp     1025:1031
+REJECT:$LOG     $FW                             net                     udp     1025:1031
-DROP            fw                              net                     udp     ntp
+DROP            $FW                             net                     udp     ntp
 ##########################################################################################################################################################################
 #####
 # Firewall to DMZ
 #
-ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp,993,465
+ACCEPT          $FW                             dmz                     tcp     www,ftp,ssh,smtp,993,465
-ACCEPT          fw                              dmz                     udp     domain
+ACCEPT          $FW                             dmz                     udp     domain
-REJECT          fw                              dmz                     udp     137:139
+REJECT          $FW                             dmz                     udp     137:139
 ##########################################################################################################################################################################
 #####
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
@ -883,9 +883,9 @@ net     Net             Internet
      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
-fw              net             ACCEPT
+$FW             net             ACCEPT
-fw              home            ACCEPT
+$FW             home            ACCEPT
-home            fw              ACCEPT
+home            $FW             ACCEPT
 net             home            NONE
 home            net             NONE
 net             all             DROP            info
@ -932,9 +932,9 @@ home            eth0:0.0.0.0/0
      <blockquote>
        <programlisting>#ACTION         SOURCE                  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
 #                                                       PORT    PORT(S) DEST            LIMIT   GROUP
-ACCEPT          net                     fw      icmp    8
+ACCEPT          net                     $FW     icmp    8
-ACCEPT          net                     fw      tcp     22
+ACCEPT          net                     $FW     tcp     22
-ACCEPT          net                     fw      tcp     4000:4100
+ACCEPT          net                     $FW     tcp     4000:4100
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>
@ -1021,9 +1021,9 @@ net     Net             Internet
      <blockquote>
        <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST
-fw              net             ACCEPT
+$FW             net             ACCEPT
-fw              home            ACCEPT
+$FW             home            ACCEPT
-home            fw              ACCEPT
+home            $FW             ACCEPT
 net             home            NONE
 home            net             NONE
 net             all             DROP            info
@ -1050,9 +1050,9 @@ home    tun0            -
      <blockquote>
        <programlisting>#ACTION         SOURCE                  DEST    PROTO   DEST    SOURCE  ORIGINAL        RATE    USER/
 #                                                       PORT    PORT(S) DEST            LIMIT   GROUP
-ACCEPT          net                     fw      icmp    8
+ACCEPT          net                     $FW     icmp    8
-ACCEPT          net                     fw      tcp     22
+ACCEPT          net                     $FW     tcp     22
-ACCEPT          net                     fw      tcp     4000:4100
+ACCEPT          net                     $FW     tcp     4000:4100
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
      </blockquote>
    </section>
--- a/Shorewall-docs2/ping.xml
+++ b/Shorewall-docs2/ping.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-08-31</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -64,7 +64,7 @@ Ping/ACCEPT    z1        z2</programlisting>
      <para>To permit ping from the local zone to the firewall:</para>
      <programlisting>#ACTION      SOURCE    DEST     PROTO    DEST PORT(S)
-Ping/ACCEPT   loc       fw</programlisting>
+Ping/ACCEPT   loc      $FW</programlisting>
    </example>
    <para>If you would like to accept <quote>ping</quote> by default even when
@ -89,7 +89,7 @@ Ping/DROP     z1        z2</programlisting>
      <filename>/etc/shorewall/rules</filename>:</para>
      <programlisting>#ACTION    SOURCE    DEST     PROTO    DEST PORT(S)
-Ping/DROP  net       fw</programlisting>
+Ping/DROP  net       $FW</programlisting>
    </example>
    <para>Note that the above rule may be used without changing the action
--- a/Shorewall-docs2/samba.xml
+++ b/Shorewall-docs2/samba.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-08-31</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2002</year>
@ -43,8 +43,8 @@
  <programlisting>#ACTION   SOURCE   DEST   PROTO    DEST PORT(S)   SOURCE
 #                                                 PORT(S)
-SMB/ACCEPT  fw       loc
+SMB/ACCEPT  $FW      loc
-SMB/ACCEPT  loc      fw</programlisting>
+SMB/ACCEPT  loc      $FW</programlisting>
  <para>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</para>
--- a/Shorewall-docs2/shorewall_logging.xml
+++ b/Shorewall-docs2/shorewall_logging.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-03-04</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001 - 2005</year>
@ -68,7 +68,7 @@
        <para>The packet matches a rule in <ulink
        url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>. By
        including a syslog level (see below) in the ACTION column of a rule
-        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net fw tcp
+        (e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net $FW tcp
        22</quote>), the connection attempt will be logged at that
        level.</para>
      </listitem>
@ -231,7 +231,7 @@ rules:REJECT:$LOG       loc                             net
 rules:REJECT:$LOG       loc                             net                     udp     1025:1031
 rules:REJECT:$LOG       dmz                             net                     udp     1025:1031
 rules:ACCEPT:$LOG       dmz                             net                     tcp     1024:                                   20
-rules:REJECT:$LOG       fw                              net                     udp     1025:1031
+rules:REJECT:$LOG       $FW                             net                     udp     1025:1031
 shorewall.conf:LOGFILE=/var/log/shorewall
 shorewall.conf:LOGUNCLEAN=$LOG
 shorewall.conf:LOGNEWNOTSYN=$LOG
--- a/Shorewall-docs2/shorewall_setup_guide.xml
+++ b/Shorewall-docs2/shorewall_setup_guide.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-04</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -145,7 +145,7 @@
        <term>net</term>
        <listitem>
-          <para>The public Internet. </para>
+          <para>The public Internet.</para>
        </listitem>
      </varlistentry>
@ -184,8 +184,10 @@ dmz     plain</programlisting>
    <para>Note that Shorewall recognizes the firewall system as its own zone -
    The above example follows the usual convention of naming the Firewall zone
-    <emphasis role="bold">fw</emphasis>. In this guide, the name <emphasis
+    <emphasis role="bold">fw</emphasis>. The name specified for the firewall
-    role="bold">fw</emphasis> will be used. With the exception of the name
+    zone (<emphasis role="bold">fw</emphasis> in the above example) is stored
    in the shell variable <firstterm>$FW</firstterm> when the
    /etc/shorewall/zones file is processed. With the exception of the name
    assigned to the firewall zone, Shorewall attaches absolutely no meaning to
    zone names. Zones are entirely what YOU make of them. That means that you
    should not expect Shorewall to do something special <quote>because this is
@ -418,7 +420,7 @@ net      eth0           detect        rfc1918
 loc      eth1           detect
 dmz      eth2           detect</programlisting>
-    <para>Note that the <emphasis role="bold">fw</emphasis> zone has no entry
+    <para>Note that the <emphasis role="bold">$FW</emphasis> zone has no entry
    in the /etc/shorewall/interfaces file.</para>
    <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@ -1698,7 +1700,7 @@ ACCEPT   net     loc:192.168.201.4  tcp    www</programlisting>
      <note>
        <para>Shorewall has a <ulink url="Macros.html">macro facility</ulink>
        that includes macros for many standard applications. This section does
-        not use those macros but rather defines the rules directly. </para>
+        not use those macros but rather defines the rules directly.</para>
      </note>
      <para><inlinegraphic fileref="images/BD21298_.gif" /></para>
@ -1738,7 +1740,7 @@ ACCEPT   loc             dmz:192.0.2.178    tcp    smtp    #Mail from local
                                                           #Network
 ACCEPT   loc             dmz:192.0.2.178    tcp    pop3    #Pop3 from local
                                                           #Network
-ACCEPT   fw              dmz:192.0.2.178    tcp    smtp    #Mail from the
+ACCEPT   $FW             dmz:192.0.2.178    tcp    smtp    #Mail from the
                                                           #Firewall
 ACCEPT   dmz:192.0.2.178 net                tcp    smtp    #Mail to the
                                                           #Internet
@ -1763,9 +1765,9 @@ ACCEPT   loc             dmz:192.0.2.177    udp    domain  #UDP DNS from
                                                           #Local Network
 ACCEPT   loc             dmz:192.0.2.177    tcp    domain  #TCP DNS from
                                                           #Local Network
-ACCEPT   fw              dmz:192.0.2.177    udp    domain  #UDP DNS from
+ACCEPT   $FW             dmz:192.0.2.177    udp    domain  #UDP DNS from
                                                           #the Firewall
-ACCEPT   fw              dmz:192.0.2.177    tcp    domain  #TCP DNS from
+ACCEPT   $FW             dmz:192.0.2.177    tcp    domain  #TCP DNS from
                                                           #the Firewall
 ACCEPT   dmz:192.0.2.177 net                udp    domain  #UDP DNS to
                                                           #the Internet
@ -1780,7 +1782,7 @@ ACCEPT   dmz:192.0.2.177 net                tcp    domain  #TCPP DNS to
      <programlisting>#ACTION  SOURCE          DEST               PROTO  DEST    COMMENTS 
 #                                           PORT(S)
 ACCEPT   loc             dmz                tcp    ssh     #SSH to the DMZ
-ACCEPT   net             fw                 tcp    ssh     #SSH to the
+ACCEPT   net             $FW                tcp    ssh     #SSH to the
                                                           #Firewall</programlisting>
    </section>
@ -1860,7 +1862,7 @@ ACCEPT   loc             dmz:192.0.2.178    tcp    smtp    #Mail from local
                                                           #Network
 ACCEPT   loc             dmz:192.0.2.178    tcp    pop3    #Pop3 from local
                                                           #Network
-ACCEPT   fw              dmz:192.0.2.178    tcp    smtp    #Mail from the
+ACCEPT   $FW             dmz:192.0.2.178    tcp    smtp    #Mail from the
                                                           #Firewall
 ACCEPT   dmz:192.0.2.178 net                tcp    smtp    #Mail to the
                                                           #Internet
@ -1879,16 +1881,16 @@ ACCEPT   loc             dmz:192.0.2.177    udp    domain  #UDP DNS from
                                                           #Local Network
 ACCEPT   loc             dmz:192.0.2.177    tcp    domain  #TCP DNS from
                                                           #Local Network
-ACCEPT   fw              dmz:192.0.2.177    udp    domain  #UDP DNS from
+ACCEPT   $FW             dmz:192.0.2.177    udp    domain  #UDP DNS from
                                                           #the Firewall
-ACCEPT   fw              dmz:192.0.2.177    tcp    domain  #TCP DNS from
+ACCEPT   $FW             dmz:192.0.2.177    tcp    domain  #TCP DNS from
                                                           #the Firewall
 ACCEPT   dmz:192.0.2.177 net                udp    domain  #UDP DNS to
                                                           #the Internet
 ACCEPT   dmz:192.0.2.177 net                tcp    domain  #TCPP DNS to
                                                           #the Internet
 ACCEPT   loc             dmz                tcp    ssh     #SSH to the DMZ
-ACCEPT   net             fw                 tcp    ssh     #SSH to the
+ACCEPT   net             $FW                tcp    ssh     #SSH to the
                                                           #Firewall</programlisting>
    </section>
  </section>
@ -2339,7 +2341,7 @@ foobar.net.      86400   IN A    192.0.2.177
        external IP address does not mean that the request will be associated
        with the external interface or the <quote>net</quote> zone. Any
        traffic that you generate from the local network will be associated
-        with your local interface and will be treated as loc-&gt;fw
+        with your local interface and will be treated as loc-&gt;$FW
        traffic.</para>
      </listitem>
--- a/Shorewall-docs2/standalone.xml
+++ b/Shorewall-docs2/standalone.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-07-12</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2002-2005</year>
@ -164,18 +164,21 @@
    <para>Shorewall views the network where it is running as being composed of
    a set of <emphasis>zones</emphasis>. In the one-interface sample
-    configuration, only one zone is defined:</para>
+    configuration, only two zones are defined:</para>
-    <programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
+    <programlisting>#ZONE   TYPE    OPTIONS                 IN                      OUT
-#       ONLY                            OPTIONS                 OPTIONS
+#                                       OPTIONS                 OPTIONS
-net</programlisting>
+fw      firewall
 net     plain</programlisting>
    <para>Shorewall zones are defined in <ulink
    url="Documentation.htm#Zones"><filename>/etc/shorewall/zones</filename></ulink>.</para>
-    <para>Shorewall also recognizes the firewall system as its own zone - by
+    <para>Note that Shorewall recognizes the firewall system as its own zone.
-    default, the firewall itself is known as <emphasis
+    The name of the firewall zone (<emphasis role="bold">fw</emphasis> in the
-    role="bold">fw</emphasis>.</para>
+    above example) is stored in the shell variable <firstterm>$FW</firstterm>
    which may be used throughout the rest of the Shorewall configuration to
    refer to the firewall itself.</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones.</para>
@ -210,7 +213,7 @@ net</programlisting>
    the one-interface sample has the following policies:</para>
    <programlisting>#SOURCE ZONE   DESTINATION ZONE   POLICY   LOG LEVEL   LIMIT:BURST
-fw             net                ACCEPT
+$FW            net                ACCEPT
 net            all                DROP     info
 all            all                REJECT   info</programlisting>
@ -319,15 +322,15 @@ all            all                REJECT   info</programlisting>
    rule in <filename>/etc/shorewall/rules</filename> is:</para>
    <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
-&lt;<emphasis>action</emphasis>&gt;  net       fw</programlisting>
+&lt;<emphasis>action</emphasis>&gt;  net       $FW</programlisting>
    <example>
      <title>You want to run a Web Server and a IMAP Server on your firewall
      system:</title>
-      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+      <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
-Web/ACCEPT  net       fw
+Web/ACCEPT  net       $FW
-IMAP/ACCEPT net       fw</programlisting>
+IMAP/ACCEPT net       $FW</programlisting>
    </example>
    <para>You may also choose to code your rules directly without using the
@ -337,15 +340,15 @@ IMAP/ACCEPT net       fw</programlisting>
    is:</para>
    <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
-ACCEPT    net       fw              <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
+ACCEPT    net       $FW             <emphasis>&lt;protocol&gt;</emphasis>  <emphasis>&lt;port&gt;</emphasis></programlisting>
    <example>
      <title>You want to run a Web Server and a IMAP Server on your firewall
      system:</title>
      <para><programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
-ACCEPT    net       fw              tcp          80
+ACCEPT    net       $FW             tcp          80
-ACCEPT    net       fw              tcp          143</programlisting></para>
+ACCEPT    net       $FW             tcp          143</programlisting></para>
    </example>
    <para>If you don't know what port and protocol a particular application
@ -356,8 +359,8 @@ ACCEPT    net       fw              tcp          143</programlisting></para>
      uses clear text (even for login!). If you want shell access to your
      firewall from the internet, use SSH:</para>
-      <programlisting>#ACTION   SOURCE    DESTINATION     PROTO       DEST PORT(S)
+      <programlisting>#ACTION     SOURCE    DESTINATION     PROTO       DEST PORT(S)
-SSH/ACCEPT  net       fw            </programlisting>
+SSH/ACCEPT  net       $FW           </programlisting>
    </important>
    <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
--- a/Shorewall-docs2/three-interface.xml
+++ b/Shorewall-docs2/three-interface.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-09-07</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2002-2005</year>
@ -202,15 +202,19 @@
    a set of zones. In the three-interface sample configuration, the following
    zone names are used:</para>
-    <para><programlisting>#ZONE   IPSEC   OPTIONS                 IN                      OUT
+    <para><programlisting>#ZONE   TYPE   OPTIONS                 IN                      OUT
-#       ONLY                            OPTIONS                 OPTIONS
+#                                      OPTIONS                 OPTIONS
-net
+fw      firewall
-loc
+net     plain
-dmz</programlisting>Zone names are defined in
+loc     plain
 dmz     plain</programlisting>Zone names are defined in
    <filename>/etc/shorewall/zones</filename>.</para>
-    <para>Shorewall also recognizes the firewall system as its own zone - by
+    <para>Note that Shorewall recognizes the firewall system as its own zone.
-    default, the firewall itself is known as <varname>fw</varname>.</para>
+    When the /etc/shorewall/zones file is processed, he name of the firewall
    zone is stored in the shell variable <firstterm>$FW</firstterm> which may
    be used throughout the Shorewall configuration to refer to the firewall
    zone.</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones.</para>
@ -252,7 +256,7 @@ all        all         REJECT      info</programlisting>
      servers on the internet, uncomment that line.</para>
      <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
-fw         net         ACCEPT</programlisting>
+$FW        net         ACCEPT</programlisting>
    </important>
    <para>The above policy will:</para>
@ -721,12 +725,12 @@ DNAT      loc       dmz:10.10.11.2   tcp     80            -        $ETH0_IP</pr
          <filename>/etc/shorewall/rules</filename>.</para>
        </listitem>
      </itemizedlist> If you run the name server on the firewall:
-    <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
+    <programlisting>#ACTION     SOURCE    DEST                PROTO      DEST PORT(S)                      
-DNS/ACCEPT  loc       fw
+DNS/ACCEPT  loc       $FW
-DNS/ACCEPT  dmz       fw             </programlisting> Run name server on DMZ
+DNS/ACCEPT  dmz       $FW            </programlisting> Run name server on DMZ
-    computer 1: <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
+    computer 1: <programlisting>#ACTION     SOURCE    DEST                PROTO      DEST PORT(S)                      
 DNS/ACCEPT  loc       dmz:10.10.11.1
-DNS/ACCEPT  fw        dmz:10.10.11.1             </programlisting></para>
+DNS/ACCEPT  $FW       dmz:10.10.11.1             </programlisting></para>
    <para>In the rules shown above, <quote>AllowDNS</quote> is an example of a
    <emphasis>defined action</emphasis>. Shorewall includes a number of
@ -744,10 +748,10 @@ DNS/ACCEPT  fw        dmz:10.10.11.1             </programlisting></para>
    firewall) could also have been coded as follows:</para>
    <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
-ACCEPT    loc       fw                  tcp        53
+ACCEPT    loc       $FW                 tcp        53
-ACCEPT    loc       fw                  udp        53
+ACCEPT    loc       $FW                 udp        53
-ACCEPT    dmz       fw                  tcp        53
+ACCEPT    dmz       $FW                 tcp        53
-ACCEPT    dmz       fw                  udp        53              </programlisting>
+ACCEPT    dmz       $FW                 udp        53              </programlisting>
    <para>In cases where Shorewall doesn't include a defined action to meet
    your needs, you can either define the action yourself or you can simply
@ -758,14 +762,14 @@ ACCEPT    dmz       fw                  udp        53              </programlist
    <title>Other Connections</title>
    <para>The three-interface sample includes the following rule:
-    <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
+    <programlisting>#ACTION     SOURCE    DEST                PROTO      DEST PORT(S)                      
-DNS/ACCEPT  fw        net       </programlisting>That rule allow DNS access
+DNS/ACCEPT  $FW       net       </programlisting>That rule allow DNS access
    from your firewall and may be removed if you commented out the line in
    <filename>/etc/shorewall/policy</filename> allowing all connections from
    the firewall to the Internet.</para>
-    <para>The sample also includes: <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
+    <para>The sample also includes: <programlisting>#ACTION     SOURCE    DEST                PROTO      DEST PORT(S)                      
-SSH/ACCEPT  loc       fw
+SSH/ACCEPT  loc       $FW
 SSH/ACCEPT  loc       dmz        </programlisting>Those rules allow you to run
    an SSH server on your firewall and in each of your DMZ systems and to
    connect to those servers from your local systems.</para>
@ -784,14 +788,14 @@ ACCEPT    <emphasis>&lt;source zone&gt; &lt;destination zone&gt;  &lt;protocol&g
      <para>Using defined macros:</para>
-      <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)
+      <programlisting>#ACTION     SOURCE    DEST                PROTO      DEST PORT(S)
-DNS/ACCEPT  net       fw</programlisting>
+DNS/ACCEPT  net       $FW</programlisting>
      <para>Not using defined actions:</para>
      <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
-ACCEPT    net       fw                  tcp        53
+ACCEPT    net       $FW                 tcp        53
-ACCEPT    net       fw                  udp        53        </programlisting>
+ACCEPT    net       $FW                 udp        53        </programlisting>
      <para>Those rules would of course be in addition to the rules listed
      above under "If you run the name server on your firewall".</para>
@ -803,15 +807,15 @@ ACCEPT    net       fw                  udp        53        </programlisting>
    <important>
      <para>I don't recommend enabling telnet to/from the Internet because it
      uses clear text (even for login!). If you want shell access to your
-      firewall from the Internet, use SSH: <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
+      firewall from the Internet, use SSH: <programlisting>#ACTION     SOURCE    DEST                PROTO      DEST PORT(S)                      
-SSH/ACCEPT  net       fw</programlisting></para>
+SSH/ACCEPT  net       $FW</programlisting></para>
    </important>
    <para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering
    users will want to add the following two rules to be compatible with
    Jacques's Shorewall configuration: <programlisting>#ACTION   SOURCE    DEST                PROTO      DEST PORT(S)                      
-ACCEPT    loc       fw                  udp        53
+ACCEPT    loc       $FW                 udp        53
-ACCEPT    net       fw                  tcp        80       </programlisting><itemizedlist>
+ACCEPT    net       $FW                 tcp        80       </programlisting><itemizedlist>
        <listitem>
          <para>Entry 1 allows the DNS Cache to be used.</para>
        </listitem>
--- a/Shorewall-docs2/traffic_shaping.xml
+++ b/Shorewall-docs2/traffic_shaping.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2005-05-20</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2001-2005</year>
@ -294,7 +294,7 @@
        <para>Examples <programlisting>    eth0
    192.168.2.4,192.168.1.0/24</programlisting></para>
-        <para>Beginning with Shorewall version 2.2.2, "$fw" may be optionally
+        <para>Beginning with Shorewall version 2.2.2, "$FW" may be optionally
        followed by a colon (":") and a host/net address or an address
        range.</para>
      </listitem>
@ -379,7 +379,7 @@
 1       eth1      0.0.0.0/0      all
 2       eth2      0.0.0.0/0      all
 2       eth3      0.0.0.0/0      all
-3       fw        0.0.0.0/0      all</programlisting>
+3       $FW       0.0.0.0/0      all</programlisting>
    </example>
    <example>
--- a/Shorewall-docs2/two-interface.xml
+++ b/Shorewall-docs2/two-interface.xml
@ -12,7 +12,7 @@
      <surname>Eastep</surname>
    </author>
-    <pubdate>2005-08-31</pubdate>
+    <pubdate>2005-09-12</pubdate>
    <copyright>
      <year>2002-</year>
@ -223,9 +223,10 @@ loc</programlisting> Zones are defined in the <ulink
    class="directory">/etc/shorewall/</filename><filename>zones</filename></ulink>
    file.</para>
-    <para>Shorewall also recognizes the firewall system as its own zone - by
+    <para>Note that Shorewall recognizes the firewall system as its own zone -
-    default, the firewall itself is known as <emphasis
+    when the /etc/shorewall/zones file is processed, the name of the firewall
-    role="bold"><varname>fw</varname></emphasis>.</para>
+    zone is stored in the shell variable $FW which may be used to refer to the
    firewall zone throughout the Shorewall configuration.</para>
    <para>Rules about what traffic to allow and what traffic to deny are
    expressed in terms of zones. <itemizedlist spacing="compact">
@ -265,7 +266,7 @@ all        all         REJECT      info</programlisting> In the two-interface
    sample, the line below is included but commented out. If you want your
    firewall system to have full access to servers on the internet, uncomment
    that line. <programlisting>#SOURCE    DEST        POLICY      LOG LEVEL    LIMIT:BURST
-fw         net         ACCEPT</programlisting> The above policy will:
+$FW        net         ACCEPT</programlisting> The above policy will:
    <itemizedlist>
        <listitem>
          <para>Allow all connection requests from your local network to the
@ -586,10 +587,10 @@ fw         net         ACCEPT</programlisting> The above policy will:
    class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
    <programlisting>#ACTION   SOURCE    DEST                                          PROTO      DEST PORT(S)
 DNAT      net       loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<emphasis>&lt;server port&gt;</emphasis>] <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>Shorewall
-    has macros for many popular applications. Look at
+    has <ulink url="Macros.html">macros</ulink> for many popular applications.
-    /usr/share/shorewall/macro.* to see what is available in your release.
+    Look at /usr/share/shorewall/macro.* to see what is available in your
-    Macros simplify creating DNAT rules by supplying the protocol and port(s)
+    release. Macros simplify creating DNAT rules by supplying the protocol and
-    as shown in the following examples.</para>
+    port(s) as shown in the following examples.</para>
    <para><example label="1">
        <title>Web Server</title>
@ -685,7 +686,7 @@ DNAT       net       loc:10.10.10.2:80  tcp       5000</programlisting>
          in <filename
          class="directory">/etc/shorewall/</filename><filename>rules</filename>.
          <programlisting>#ACTION    SOURCE    DEST               PROTO     DEST PORT(S)
-DNS/ACCEPT loc       fw</programlisting></para>
+DNS/ACCEPT loc       $FW</programlisting></para>
        </listitem>
      </itemizedlist></para>
  </section>
@ -695,48 +696,44 @@ DNS/ACCEPT loc       fw</programlisting></para>
    <para>The two-interface sample includes the following rules:
    <programlisting>#ACTION     SOURCE    DEST               PROTO     DEST PORT(S)
-DNS/ACCEPT  fw        net</programlisting>This rule allows
+DNS/ACCEPT  $FW       net</programlisting>This rule allows
    <acronym>DNS</acronym> access from your firewall and may be removed if you
    uncommented the line in <filename
    class="directory">/etc/shorewall/</filename><filename>policy</filename>
    allowing all connections from the firewall to the internet.</para>
    <para>In the rule shown above, <quote>DNS/ACCEPT</quote> is an example of
-    a <emphasis>defined action</emphasis>. Shorewall includes a number of
+    a <emphasis>macro invocation</emphasis>. Shorewall includes a number of
-    defined actions and <ulink url="Actions.html">you can add your
+    macros (see <filename>/usr/share/shorewall/macro.*</filename>) and <ulink
-    own</ulink>. To see the list of actions included with your version of
+    url="Macros.html">you can add your own</ulink>.</para>
    Shorewall, look in the file
    <filename>/usr/share/shorewall/actions.std</filename>. Those actions that
    accept connection requests have names that begin with
    <quote>Allow</quote>.</para>
    <para>You don't have to use defined macros when coding a rule in
    <filename>/etc/shorewall/rules</filename>; Shorewall will start slightly
    faster if you code your rules directly rather than using macros. The the
    rule shown above could also have been coded as follows:<programlisting>#ACTION    SOURCE    DEST               PROTO     DEST PORT(S)
-ACCEPT     fw        net                udp       53
+ACCEPT     $FW       net                udp       53
-ACCEPT     fw        net                tcp       53</programlisting></para>
+ACCEPT     $FW       net                tcp       53</programlisting></para>
    <para>In cases where Shorewall doesn't include a defined action to meet
    your needs, you can either define the action yourself or you can simply
    code the appropriate rules directly.</para>
    <para>The sample also includes: <programlisting>#ACTION      SOURCE    DEST               PROTO     DEST PORT(S)
-SSH/ACCEPT   loc       fw</programlisting> That rule allows you to run an
+SSH/ACCEPT   loc       </programlisting>$FWThat rule allows you to run an
    <acronym>SSH</acronym> server on your firewall and connect to that server
    from your local systems.</para>
    <para>If you wish to enable other connections from your firewall to other
    systems, the general format using a macro is: <programlisting>#ACTION         SOURCE    DEST               PROTO      DEST PORT(S)
-&lt;macro&gt;/ACCEPT  fw        <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
+&lt;macro&gt;/ACCEPT  $FW       <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
    general format when not using defined actions is:<programlisting>#ACTION    SOURCE    DEST               PROTO      DEST PORT(S)
-ACCEPT     fw        <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
+ACCEPT     $FW       <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
        <title>Web Server on Firewall</title>
        <para>You want to run a Web Server on your firewall system:
        <programlisting>#ACTION     SOURCE    DEST               PROTO     DEST PORT(S)
-Web/ACCEPT  net       fw
+Web/ACCEPT  net       $FW
-Web/ACCEPT  loc       fw</programlisting> Those two rules would of course be
+Web/ACCEPT  loc       </programlisting>$FWThose two rules would of course be
        in addition to the rules listed above under <quote><link
        linkend="cachingdns">You can configure a Caching Name Server on your
        firewall</link></quote>.</para>
@ -748,12 +745,12 @@ Web/ACCEPT  loc       fw</programlisting> Those two rules would of course be
        <acronym>SSH</acronym>:</para>
        <programlisting>#ACTION      SOURCE    DEST               PROTO     DEST PORT(S)
-SSH/ACCEPT   net       fw</programlisting>
+SSH/ACCEPT   net       $FW</programlisting>
      </important> <inlinegraphic fileref="images/leaflogo.gif"
    format="GIF" />Bering users will want to add the following two rules to be
    compatible with Jacques's Shorewall configuration.<programlisting>#ACTION    SOURCE    DEST    PROTO     DEST PORT(S)
-ACCEPT     loc       fw      udp       53          #Allow DNS Cache to work
+ACCEPT     loc       $FW     udp       53          #Allow DNS Cache to work
-ACCEPT     loc       fw      tcp       80          #Allow Weblet to work</programlisting>
+ACCEPT     loc       $FW     tcp       80          #Allow Weblet to work</programlisting>
    <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
    <para>Now edit your <filename