diff --git a/Shorewall-docs/Documentation.xml b/Shorewall-docs/Documentation.xml
index d3305b1e1..7b402f9aa 100644
--- a/Shorewall-docs/Documentation.xml
+++ b/Shorewall-docs/Documentation.xml
@@ -520,8 +520,8 @@
(Added in version 1.4.7) - This option causes
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be
set with the result that this interface will only answer ARP
- 'who-has' requests from hosts that are routed out of
- that interface. Setting this option facilitates testing of
+ who-has requests from hosts that are routed out
+ of that interface. Setting this option facilitates testing of
your firewall where multiple firewall interfaces are connected
to the same HUB/Switch (all interface connected to the single
HUB/Switch should have this option specified). Note that using
@@ -643,8 +643,8 @@
Packets from this interface that are selected by the
- 'unclean' match target in iptables will be optionally
- logged and then dropped.
+ unclean match target in iptables will be
+ optionally logged and then dropped.This feature requires that UNCLEAN match support be
@@ -681,7 +681,7 @@
This option works like dropunclean
with the exception that packets selected by the
- 'unclean' match target in iptables are logged
+ unclean match target in iptables are logged
but not dropped. The level at which the
packets are logged is determined by the setting of LOGUNCLEAN
and if LOGUNCLEAN has not been set, info is
@@ -1014,8 +1014,8 @@
- The '-' in the ZONE column for eth1 tells Shorewall that
- eth1 interfaces to multiple zones.
+ The - in the ZONE column for eth1 tells Shorewall
+ that eth1 interfaces to multiple zones.
@@ -1475,7 +1475,7 @@
- Multiple 'net' interfaces to different ISPs. You
+ Multiple net interfaces to different ISPs. You
don't want to route traffic from one ISP to the other through
your firewall.
@@ -1922,10 +1922,11 @@
The first rule allows Sam SSH access to the firewall. The second
rule says that any clients from the net zone with the exception of those
- in the 'sam' zone should have their connection port forwarded to
- 192.168.1.3. If you need to exclude more than one zone in this way, you
- can list the zones separated by commas (e.g., net!sam,joe,fred). This
- technique also may be used when the ACTION is REDIRECT.
+ in the sam zone should have their connection port
+ forwarded to 192.168.1.3. If you need to exclude more than one zone in
+ this way, you can list the zones separated by commas (e.g.,
+ net!sam,joe,fred). This technique also may be used when the ACTION is
+ REDIRECT.
@@ -1979,11 +1980,11 @@
a header-rewriting rule in the Netfilter
- 'nat' table
+ nat table
- an ACCEPT rule in the Netfilter 'filter'
+ an ACCEPT rule in the Netfilter filter
table. DNAT- works like DNAT but only generates the
header-rewriting rule.
@@ -2010,11 +2011,11 @@
a header-rewriting rule in the Netfilter
- 'nat' table
+ nat table
- an ACCEPT rule in the Netfilter 'filter'
+ an ACCEPT rule in the Netfilter filter
table. REDIRECT- works like REDIRECT but only generates
the header-rewriting rule.
@@ -2123,7 +2124,7 @@
comma-separated list of those sub-zones to be excluded. There is an
example above.
- If the source is not 'all' then the source may be
+ If the source is not all then the source may be
further restricted by adding a colon (:) followed by
a comma-separated list of qualifiers. Qualifiers are may include:
@@ -2784,10 +2785,10 @@
- When 'all' is used as a source or destination,
- intra-zone traffic is not affected. In this example, if there were two
- DMZ interfaces then the above rule would NOT enable SMTP traffic between
- hosts on these interfaces.
+ When all is used as a source or
+ destination, intra-zone traffic is not affected. In this example, if
+ there were two DMZ interfaces then the above rule would NOT enable SMTP
+ traffic between hosts on these interfaces.
@@ -3011,8 +3012,8 @@
The /etc/shorewall/common file is expected to contain iptables
commands; rather than running iptables directly, you should run it
- indirectly using the Shorewall function 'run_iptables'. That way,
- if iptables encounters an error, the firewall will be safely stopped.
+ indirectly using the Shorewall function run_iptables. That
+ way, if iptables encounters an error, the firewall will be safely stopped.
@@ -3055,7 +3056,7 @@
an interface name. In the latter instance, the interface must be
configured and started before Shorewall is started as Shorewall will
determine the subnet based on information obtained from the
- 'ip' utility.
+ ip utility.
When using Shorewall 1.3.13 or earlier, when an interface
@@ -3576,14 +3577,14 @@
(Added at version 1.4.4) - The value of this variable generate
the --log-prefix setting for Shorewall logging rules. It contains a
- 'printf' formatting template which accepts three arguments
- (the chain name, logging rule number (optional) and the
+ printf formatting template which accepts three
+ arguments (the chain name, logging rule number (optional) and the
disposition). To use LOGFORMAT with fireparse, set it as:LOGFORMAT="fp=%s:%d a=%s "
- If the LOGFORMAT value contains the substring '%d'
+ If the LOGFORMAT value contains the substring %d
then the logging rule number is calculated and formatted in that
position; if that substring is not included then the rule number is
not included. If not supplied or supplied as empty
@@ -3592,12 +3593,12 @@
/sbin/shorewall uses the leading part of the LOGFORMAT
- string (up to but not including the first '%') to find log
- messages in the 'show log', 'status' and
- 'hits' commands. This part should not be omitted (the
- LOGFORMAT should not begin with %) and the leading
- part should be sufficiently unique for /sbin/shorewall to identify
- Shorewall messages.
+ string (up to but not including the first %) to
+ find log messages in the show log, status
+ and hits commands. This part should not be omitted
+ (the LOGFORMAT should not begin with %) and the
+ leading part should be sufficiently unique for /sbin/shorewall to
+ identify Shorewall messages.
@@ -3607,15 +3608,15 @@
(Added at version 1.3.13) - If this option is set to
- 'No' then Shorewall won't clear the current traffic
+ No then Shorewall won't clear the current traffic
control rules during [re]start. This setting is intended for use by
people that prefer to configure traffic shaping when the network
interfaces come up rather than when the firewall is started. If that
is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do
not supply an /etc/shorewall/tcstart file. That way, your traffic
- shaping rules can still use the 'fwmark' classifier based on
- packet marking defined in /etc/shorewall/tcrules. If not specified,
- CLEAR_TC=Yes is assumed.
+ shaping rules can still use the fwmark classifier
+ based on packet marking defined in /etc/shorewall/tcrules. If not
+ specified, CLEAR_TC=Yes is assumed.
@@ -3644,7 +3645,7 @@
(Added at version 1.3.12) - This parameter determines the
- level at which packets logged under the 'norfc1918'
+ level at which packets logged under the norfc1918
mechanism are logged. The value must be a valid syslog level and if no level is
given, then info is assumed. Prior to Shorewall version 1.3.12,
@@ -4017,12 +4018,12 @@
This parameter determines the logging level of mangled/invalid
- packets controlled by the 'dropunclean and logunclean'
+ packets controlled by the dropunclean and logunclean
interface options. If LOGUNCLEAN is empty (LOGUNCLEAN=) then packets
- selected by 'dropclean' are dropped silently
- ('logunclean' packets are logged under the 'info'
- log level). Otherwise, these packets are logged at the specified
- level (Example: LOGUNCLEAN=debug).
+ selected by dropclean are dropped silently (logunclean
+ packets are logged under the info log level).
+ Otherwise, these packets are logged at the specified level (Example:
+ LOGUNCLEAN=debug).
@@ -4352,7 +4353,7 @@
blacklist file will be disposed of according to the value assigned to the
BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
variables in /etc/shorewall/shorewall.conf. Only packets arriving on
- interfaces that have the 'blacklist'
+ interfaces that have the blacklist
option in /etc/shorewall/interfaces are checked against the blacklist. The
black list is designed to prevent listed hosts/subnets from accessing
services on your network.