diff --git a/Samples/one-interface/interfaces b/Samples/one-interface/interfaces
index 8daa23180..5e518c597 100755
--- a/Samples/one-interface/interfaces
+++ b/Samples/one-interface/interfaces
@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.6 - Interfaces File
+# Shorewall version 3.0 - Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@@ -8,8 +8,9 @@
 #
 # Columns are:
 #
-#	ZONE		Zone for this interface. Must match the short name
-#			of a zone defined in /etc/shorewall/zones.
+#	ZONE		Zone for this interface. Must match the name of a
+#			zone defined in /etc/shorewall/zones. You may not
+#			list the firewall zone in this column.
 #
 #			If the interface serves multiple zones that will be
 #			defined in the /etc/shorewall/hosts file, you should
@@ -193,7 +194,7 @@
 #
 #			upnp	     - Incoming requests from this interface
 #				       may be remapped via UPNP (upnpd).
-#			
+#
 #			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
 #				 INTERNET INTERFACE.
 #
diff --git a/Samples/one-interface/policy b/Samples/one-interface/policy
index c5f7bd253..c0918014b 100644
--- a/Samples/one-interface/policy
+++ b/Samples/one-interface/policy
@@ -1,15 +1,23 @@
-#	
-# 	Shorewall 2.2 -- Sample Policy File For One Interface
 #
-# 	/etc/shorewall/policy
+# Shorewall version 3.0 - Policy File
 #
-#		THE ORDER OF ENTRYS IN THIS FILE IS IMPORTANT!
+# /etc/shorewall/policy
+#
+#		     THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
 #
 #	This file determines what to do with a new connection request if we
-#	don't get a match from the /etc/shorewall/rules file For each 
-#	source/destination pair, the file is processed in order until a 
+#	don't get a match from the /etc/shorewall/rules file . For each
+#	source/destination pair, the file is processed in order until a
 #	match is found ("all" will match any client or server).
 #
+#	                INTRA-ZONE POLICIES ARE PRE-DEFINED
+#
+#	For $FW and for all of the zoned defined in /etc/shorewall/zones,
+#	the POLICY for connections from the zone to itself is ACCEPT (with no
+#	logging or TCP connection rate limiting but may be overridden by an
+#	entry in this file. The overriding entry must be explicit (cannot use
+#	"all" in the SOURCE or DEST).
+#
 # Columns are:
 #
 #	SOURCE		Source zone. Must be the name of a zone defined
@@ -19,38 +27,39 @@
 #			in /etc/shorewall/zones, $FW or "all"
 #
 #	POLICY		Policy if no match from the rules file is found. Must
-#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE"
-#			
-#			ACCEPT
-#				Accept the connection
-#			DROP
-#				Ignore the connection request.
-#			REJECT
-#				For TCP, send RST. For all other, send
-#				"port unreachable" ICMP.
-#			CONTINUE
-#				Pass the connection request past
-#				any other rules that it might also
-#				match (where the source or destination
-#				zone in those rules is a superset of
-#				the SOURCE or DEST in this policy)
-#			NONE
-#				Assume that there will never be any
-#				packets from this SOURCE to this
-#				DEST. Shorewall will not set up any
-#				infrastructure to handle such packets
-#				and you may not have any rules with 
-#				this SOURCE and DEST in the /etc/shorewall/rules
-#				file. If such a packet is received the result
-#				is undefined. NONE may not be used if the
-#				SOURCE or DEST columns contain the firewall
-#				zone ($FW) or "all".
+#			be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
+#
+#			ACCEPT		- Accept the connection
+#			DROP		- Ignore the connection request
+#			REJECT		- For TCP, send RST. For all other,
+#					  send "port unreachable" ICMP.
+#			QUEUE		- Send the request to a user-space
+#					  application using the QUEUE target.
+#			CONTINUE	- Pass the connection request past
+#					  any other rules that it might also
+#					  match (where the source or
+#					  destination zone in those rules is
+#					  a superset of the SOURCE or DEST
+#					  in this policy).
+#			NONE		- Assume that there will never be any
+#					  packets from this SOURCE
+#					  to this DEST. Shorewall will not set
+#					  up any infrastructure to handle such
+#					  packets and you may not have any
+#					  rules with this SOURCE and DEST in
+#					  the /etc/shorewall/rules file. If
+#					  such a packet _is_ received, the
+#					  result is undefined. NONE may not be
+#					  used if the SOURCE or DEST columns
+#					  contain the firewall zone ($FW) or
+#					  "all".
 #
 #			If this column contains ACCEPT, DROP or REJECT and a
-#			corresonding common action is defined in
-#			/etc/shorewall/actions (or /usr/share/shorewall/actions.std)
-#			then that action will be invoked before the policy named in
-#			this column is inforced. 
+#			corresponding common action is defined in
+#			/etc/shorewall/actions (or
+#			/usr/share/shorewall/actions.std) then that action
+#			will be invoked before the policy named in this column
+#			is enforced.
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
@@ -60,22 +69,18 @@
 #			Beginning with Shorewall version 1.3.12, you may
 #			also specify ULOG (must be in upper case). This will
 #			log to the ULOG target and sent to a separate log
-#			through use of ulogd (http://www.gnumonks.org/projects/ulogd).
+#			through use of ulogd
+#			(http://www.gnumonks.org/projects/ulogd).
 #
 #			If you don't want to log but need to specify the
-#			following column, place "_" here.
+#			following column, place "-" here.
 #
 #	LIMIT:BURST	If passed, specifies the maximum TCP connection rate
 #			and the size of an acceptable burst. If not specified,
 #			TCP connections are not limited.
 #
-#	As shipped, the default policies are:
+# See http://shorewall.net/Documentation.htm#Policy for additional information.
 #
-#	a)	All connections from the Firewall to the Internet are allowed
-#	b)	All connections from the Internet are ignored but logged at syslog
-#		level KERNEL.INFO.
-#	d)	All other connection requests are rejected and logged at level
-#		KERNEL.INFO.
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG LEVEL	LIMIT:BURST
 $FW		net		ACCEPT
diff --git a/Samples/one-interface/rules b/Samples/one-interface/rules
index a67dbc859..380038e64 100755
--- a/Samples/one-interface/rules
+++ b/Samples/one-interface/rules
@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.6 - Rules File
+# Shorewall version 3.0 - Rules File
 #
 # /etc/shorewall/rules
 #
@@ -19,6 +19,45 @@
 #	   you cannot use an ACCEPT rule to allow traffic from the internet to
 #	   that system. You *must* use a DNAT rule instead.
 #------------------------------------------------------------------------------
+#
+# The rules file is divided into sections. Each section is introduced by
+# a "Section Header" which is a line beginning with SECTION followed by the
+# section name.
+#
+# Sections are as follows and must appear in the order listed:
+#
+#	ESTABLISHED		Packets in the ESTABLISHED state are processed
+#				by rules in this section.
+#
+#				The only ACTIONs allowed in this section are
+#				ACCEPT, DROP, REJECT, LOG and QUEUE
+#
+#				There is an implicit ACCEPT rule inserted
+#				at the end of this section.
+#
+#	RELATED			Packets in the RELATED state are processed by
+#				rules in this section.
+#
+#				The only ACTIONs allowed in this section are
+#				ACCEPT, DROP, REJECT, LOG and QUEUE
+#
+#				There is an implicit ACCEPT rule inserted
+#				at the end of this section.
+#
+#	NEW			Packets in the NEW and INVALID states are
+#				processed by rules in this section.
+#
+# WARNING: If you specify FASTACCEPT=Yes in shorewall.conf then the
+#	   ESTABLISHED and RELATED sections must be empty.
+#
+# Note: If you are not familiar with Netfilter to the point where you are
+#	comfortable with the differences between the various connection
+#	tracking states, then I suggest that you omit the ESTABLISHED and
+#	RELATED sections and place all of your rules in the NEW section.
+#
+# You may omit any section that you don't need. If no Section Headers appear
+# in the file then all rules are assumed to be in the NEW section.
+#
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
@@ -77,6 +116,9 @@
 #					    /etc/shorewall/actions or in
 #					    /usr/share/shorewall/actions.std.
 #
+#				<macro>  -- The name of a macro defined in a
+#					    file named macro.<macro-name>.
+#
 #			The ACTION may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
 #			DNAT:debug). This causes the packet to be
@@ -219,14 +261,20 @@
 #			contain the port number on the firewall that the
 #			request should be redirected to.
 #
-#	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
-#			"all".
+#	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
+#			a number, or "all". "ipp2p" requires ipp2p match
+#			support in your kernel and iptables.
 #
 #	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
 #
+#			If the protocol is ipp2p, this column is interpreted
+#			as an ipp2p option without the leading "--" (example
+#			"bit" for bit-torrent). If no port is given, "ipp2p" is
+#			assumed.
+#
 #			A port range is expressed as <low port>:<high port>.
 #
 #			This column is ignored if PROTOCOL = all but must be
@@ -288,7 +336,7 @@
 #
 #			See http://shorewall.net/PortKnocking.html for an
 #			example of using an entry in this column with a
-#			user-defined action rule.		
+#			user-defined action rule.
 #
 #	RATE LIMIT	You may rate-limit the rule by placing a value in
 #			this colume:
@@ -305,7 +353,7 @@
 #
 #	USER/GROUP	This column may only be non-empty if the SOURCE is
 #			the firewall itself.
-#			
+#
 #			The column may contain:
 #
 #	[!][<user name or number>][:<group name or number>][+<program name>]
@@ -368,15 +416,15 @@
 #	ACCEPT	 net:130.252.100.69,130.252.100.70 $FW \
 #					tcp	22
 #############################################################################################################
-#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
-#						PORT	PORT(S)		DEST		LIMIT		GROUP
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
 
 # Reject Ping from the "bad" net zone.. and prevent your log from being flooded..
 
-Ping/REJECT:none!     net               $FW
+Ping/REJECT	net		$FW
 
 # Permit all ICMP traffic FROM the firewall TO the net zone
 
-ACCEPT		$FW	net	icmp
+ACCEPT		$FW		net		icmp
 
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
diff --git a/Samples/one-interface/zones b/Samples/one-interface/zones
index a8f10c1c5..f85ed8c63 100644
--- a/Samples/one-interface/zones
+++ b/Samples/one-interface/zones
@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.6 - Zones File
+# Shorewall version 3.0 - Zones File
 #
 # /etc/shorewall/zones
 #
@@ -38,9 +38,9 @@
 #			Your kernel and iptables must include policy
 #			match support.
 #		firewall
-#		      - Designates the firewall itself. You must have 
+#		      - Designates the firewall itself. You must have
 #			exactly one 'firewall' zone. No options are
-#			permitted with a 'firewall' zone. The name that you 
+#			permitted with a 'firewall' zone. The name that you
 #			enter in the ZONE column will be stored in the shell
 #			variable $FW which you may use in other configuration
 #			files to designate the firewall zone.