Add links between online manpages

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5228 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

manpages-lite/shorewall-lite.xml

@@ -298,9 +298,10 @@
     the command produces. They consist of a sequence of the letters <emphasis
     role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
     options are omitted, the amount of output is determined by the setting of
-    the VERBOSITY parameter in shorewall.conf(5). Each <emphasis
+    the VERBOSITY parameter in <ulink
-    role="bold">v</emphasis> adds one to the effective verbosity and each
+    url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5). Each
-    <emphasis role="bold">q</emphasis> subtracts one from the effective
+    <emphasis role="bold">v</emphasis> adds one to the effective verbosity and
+    each <emphasis role="bold">q</emphasis> subtracts one from the effective
     VERBOSITY.</para>
   </refsect1>
 
@@ -318,8 +319,9 @@
           with VPN's.</para>
 
           <para>The <emphasis>interface</emphasis> argument names an interface
-          defined in the shorewall-interfaces(5) file. A
+          defined in the <ulink
-          <emphasis>host-list</emphasis> is comma-separated list whose
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are:</para>
 
           <programlisting>        A host or network address
@@ -359,8 +361,9 @@
           role="bold">add</emphasis> command.</para>
 
           <para>The <emphasis>interface</emphasis> argument names an interface
-          defined in the shorewall-interfaces(5) file. A
+          defined in the <ulink
-          <emphasis>host-list</emphasis> is comma-separated list whose
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are:</para>
 
           <programlisting>        A host or network address
@@ -400,7 +403,9 @@
           <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
           and /var/lib/shorewall-lite/save. If no
           <emphasis>filename</emphasis> is given then the file specified by
-          RESTOREFILE in shorewall.conf(5) is assumed.</para>
+          RESTOREFILE in <ulink
+          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          assumed.</para>
         </listitem>
       </varlistentry>
 
@@ -453,11 +458,12 @@
         <term><emphasis role="bold">logwatch</emphasis></term>
 
         <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in
+          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          shorewall.conf(5) and produces an audible alarm when new Shorewall
+          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
-          Lite messages are logged. The <emphasis role="bold">-m</emphasis>
+          produces an audible alarm when new Shorewall Lite messages are
-          option causes the MAC address of each packet source to be displayed
+          logged. The <emphasis role="bold">-m</emphasis> option causes the
-          if that information is available.</para>
+          MAC address of each packet source to be displayed if that
+          information is available.</para>
         </listitem>
       </varlistentry>
 
@@ -499,8 +505,8 @@
           a restore file in /var/lib/shorewall-lite created using <emphasis
           role="bold">shorewall-lite save</emphasis>; if no
           <emphasis>filename</emphasis> is given then Shorewall Lite will be
-          restored from the file specified by the RESTOREFILE option in
+          restored from the file specified by the RESTOREFILE option in <ulink
-          shorewall.conf(5).</para>
+          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -514,8 +520,8 @@
           <emphasis role="bold">shorewall-lite restore</emphasis> and
           <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
           If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in
+          saved in the file specified by the RESTOREFILE option in <ulink
-          shorewall.conf(5).</para>
+          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -660,10 +666,10 @@
           shorewall-lite managed interfaces are untouched. New connections
           will be allowed only if they are allowed by the firewall rules or
           policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in
+          saved configuration specified by the RESTOREFILE option in <ulink
-          shorewall.conf(5) will be restored if that saved configuration
+          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
-          exists and has been modified more recently than the files in
+          be restored if that saved configuration exists and has been modified
-          /etc/shorewall.</para>
+          more recently than the files in /etc/shorewall.</para>
         </listitem>
       </varlistentry>
 
@@ -672,11 +678,13 @@
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
-          listed in shorewall-routestopped(5) or permitted by the
+          listed in <ulink
-          ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          only new traffic permitted through the firewall is from systems
+          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
-          listed in shorewall-routestopped(5) or by
+          are taken down. The only new traffic permitted through the firewall
-          ADMINISABSENTMINDED.</para>
+          is from systems listed in <ulink
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          or by ADMINISABSENTMINDED.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-actions.xml

@@ -22,8 +22,9 @@
     <title>Description</title>
 
     <para>This file allows you to define new ACTIONS for use in rules (see
-    shorewall-rules(5)). You define the iptables rules to be performed in an
+    <ulink url="shorewall-rules.html">shorewall-rules(5)</ulink>). You define
-    ACTION in /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
+    the iptables rules to be performed in an ACTION in
+    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>
 
     <para>ACTION names should begin with an upper-case letter to distinguish
     them from Shorewall-generated chain names and they must meet the

manpages/shorewall-blacklist.xml

@@ -73,12 +73,14 @@
     </variablelist>
 
     <para>When a packet arrives on an interface that has the <emphasis
-    role="bold">blacklist</emphasis> option specified in
+    role="bold">blacklist</emphasis> option specified in <ulink
-    shorewall-interfaces(5), its source IP address and MAC address is checked
+    url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5), its
-    against this file and disposed of according to the <emphasis
+    source IP address and MAC address is checked against this file and
+    disposed of according to the <emphasis
     role="bold">BLACKLIST_DISPOSITION</emphasis> and <emphasis
-    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in shorewall.conf(5).
+    role="bold">BLACKLIST_LOGLEVEL</emphasis> variables in <ulink
-    If <emphasis role="bold">PROTOCOL</emphasis> or <emphasis
+    url="shorewall.conf.html">shorewall.conf</ulink>(5). If <emphasis
+    role="bold">PROTOCOL</emphasis> or <emphasis
     role="bold">PROTOCOL</emphasis> and <emphasis role="bold">PORTS</emphasis>
     are supplied, only packets matching the protocol (and one of the ports if
     <emphasis role="bold">PORTS</emphasis> supplied) are blocked.</para>

manpages/shorewall-hosts.xml

@@ -26,9 +26,9 @@
     place anything in this file.</para>
 
     <para>The order of entries in this file is not significant in determining
-    zone composition. Rather, the order that the zones are defined in
+    zone composition. Rather, the order that the zones are defined in <ulink
-    shorewall-zones(5) determines the order in which the records in this file
+    url="shorewall-zones.html">shorewall-zones</ulink>(5) determines the order
-    are interpreted.</para>
+    in which the records in this file are interpreted.</para>
 
     <warning>
       <para>The only time that you need this file is when you have more than
@@ -36,9 +36,10 @@
     </warning>
 
     <warning>
-      <para>If you have an entry for a zone and interface in
+      <para>If you have an entry for a zone and interface in <ulink
-      shorewall-interfaces(5) then do not include any entries in this file for
+      url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) then do
-      that same (zone, interface) pair.</para>
+      not include any entries in this file for that same (zone, interface)
+      pair.</para>
     </warning>
 
     <para>The columns in the file are as follows.</para>
@@ -49,7 +50,8 @@
         <emphasis>zone-name</emphasis></term>
 
         <listitem>
-          <para>The name of a zone defined in shorewall-zones(5). You may not
+          <para>The name of a zone defined in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink>(5). You may not
           list the firewall zone in this column.</para>
         </listitem>
       </varlistentry>
@@ -61,9 +63,10 @@
         role="bold">+</emphasis><emphasis>ipset</emphasis>}[<emphasis>exclusion</emphasis>]</term>
 
         <listitem>
-          <para>The name of an interface defined in the
+          <para>The name of an interface defined in the <ulink
-          shorewall-interfaces(5) file followed by a colon (":") and a
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file
-          comma-separated list whose elements are either:</para>
+          followed by a colon (":") and a comma-separated list whose elements
+          are either:</para>
 
           <orderedlist numeration="loweralpha">
             <listitem>
@@ -84,12 +87,14 @@
               <para>A physical <emphasis>bridge-port</emphasis> name; only
               allowed when the interface names a bridge created by the
               <command>brctl(8) addbr</command> command. This port must not be
-              defined in shorewall-interfaces(5) and may be optionally
+              defined in <ulink
-              followed by a colon (":") and a host or network IP or a range.
+              url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
-              See <ulink
+              and may be optionally followed by a colon (":") and a host or
+              network IP or a range. See <ulink
               url="http://www.shorewall.net/bridge.html">http://www.shorewall.net/bridge.html</ulink>
               for details. Specifying a physical port name requires that you
-              have BRIDGING=Yes in shorewall.conf(5).</para>
+              have BRIDGING=Yes in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
             </listitem>
 
             <listitem>
@@ -99,7 +104,8 @@
 
           <blockquote>
             <para>You may also exclude certain hosts through use of an
-            <emphasis>exclusion</emphasis> (see shorewall-exclusion(5).</para>
+            <emphasis>exclusion</emphasis> (see <ulink
+            url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5).</para>
           </blockquote>
         </listitem>
       </varlistentry>
@@ -119,9 +125,11 @@
 
               <listitem>
                 <para>Connection requests from these hosts are compared
-                against the contents of shorewall-maclist(5). If this option
+                against the contents of <ulink
-                is specified, the interface must be an ethernet NIC or
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                equivalent and must be up before Shorewall is started.</para>
+                this option is specified, the interface must be an ethernet
+                NIC or equivalent and must be up before Shorewall is
+                started.</para>
               </listitem>
             </varlistentry>
 
@@ -145,8 +153,9 @@
                 <para>This option only makes sense for ports on a
                 bridge.</para>
 
-                <para>Check packets arriving on this port against the
+                <para>Check packets arriving on this port against the <ulink
-                shorewall-blacklist(5) file.</para>
+                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
+                file.</para>
               </listitem>
             </varlistentry>
 
@@ -173,8 +182,9 @@
                 address as the source).</para>
 
                 <para>Smurfs will be optionally logged based on the setting of
-                SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the
+                SMURF_LOG_LEVEL in <ulink
-                packets are dropped.</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
               </listitem>
             </varlistentry>
 
@@ -184,8 +194,10 @@
               <listitem>
                 <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                 that if the zone named in the ZONE column is specified as an
-                IPSEC zone in the shorewall-zones(5) file then you do NOT need
+                IPSEC zone in the <ulink
-                to specify the 'ipsec' option here.</para>
+                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
+                then you do NOT need to specify the 'ipsec' option
+                here.</para>
               </listitem>
             </varlistentry>
           </variablelist>

manpages/shorewall-interfaces.xml

@@ -153,7 +153,9 @@ loc     eth2            -</programlisting>
               <listitem>
                 <para>Turn on kernel route filtering for this interface
                 (anti-spoofing measure). This option can also be enabled
-                globally in the shorewall.conf(5) file.</para>
+                globally in the <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5)
+                file.</para>
               </listitem>
             </varlistentry>
 
@@ -166,7 +168,9 @@ loc     eth2            -</programlisting>
                 <emphasis role="bold">routefilter</emphasis> on an interface
                 that you also set <emphasis
                 role="bold">logmartians</emphasis>. This option may also be
-                enabled globally in the shorewall.conf(5) file.</para>
+                enabled globally in the <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5)
+                file.</para>
               </listitem>
             </varlistentry>
 
@@ -175,7 +179,9 @@ loc     eth2            -</programlisting>
 
               <listitem>
                 <para>Check packets arriving on this interface against the
-                shorewall-blacklist(5) file.</para>
+                <ulink
+                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
+                file.</para>
               </listitem>
             </varlistentry>
 
@@ -184,9 +190,10 @@ loc     eth2            -</programlisting>
 
               <listitem>
                 <para>Connection requests from this interface are compared
-                against the contents of shorewall-maclist(5). If this option
+                against the contents of <ulink
-                is specified, the interface must be an ethernet NIC and must
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                be up before Shorewall is started.</para>
+                this option is specified, the interface must be an ethernet
+                NIC and must be up before Shorewall is started.</para>
               </listitem>
             </varlistentry>
 
@@ -209,8 +216,10 @@ loc     eth2            -</programlisting>
                 <para>Sets
                 /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/proxy_arp.
                 Do NOT use this option if you are employing Proxy ARP through
-                entries in shorewall-proxyarp(5). This option is intended
+                entries in <ulink
-                solely for use with Proxy ARP sub-networking as described at:
+                url="shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).
+                This option is intended solely for use with Proxy ARP
+                sub-networking as described at:
                 http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet</para>
               </listitem>
             </varlistentry>
@@ -277,8 +286,9 @@ loc     eth2            -</programlisting>
                 address as the source).</para>
 
                 <para>Smurfs will be optionally logged based on the setting of
-                SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the
+                SMURF_LOG_LEVEL in <ulink
-                packets are dropped.</para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
               </listitem>
             </varlistentry>
 

manpages/shorewall-maclist.xml

@@ -24,7 +24,9 @@
     <para>This file is used to define the MAC addresses and optionally their
     associated IP addresses to be allowed to use the specified interface. The
     feature is enabled by using the <emphasis role="bold">maclist</emphasis>
-    option in the shorewall-interfaces(5) or shorewall-hosts(5) configuration
+    option in the <ulink
+    url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) or <ulink
+    url="shorewall-hosts.html">shorewall-hosts</ulink>(5) configuration
     file.</para>
 
     <para>The columns in the file are as follows.</para>
@@ -38,8 +40,9 @@
 
         <listitem>
           <para><emphasis role="bold">ACCEPT</emphasis> or <emphasis
-          role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in
+          role="bold">DROP</emphasis> (if MACLIST_TABLE=filter in <ulink
-          shorewall.conf(5), then REJECT is also allowed). If specified, the
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), then REJECT is
+          also allowed). If specified, the
           <replaceable>log-level</replaceable> causes packets matching the
           rule to be logged at that level.</para>
         </listitem>

manpages/shorewall-masq.xml

@@ -32,7 +32,9 @@
     <warning>
       <para>If you have more than one ISP, adding entries to this file will
       *not* force connections to go out through a particular ISP. You must use
-      PREROUTING entries in /etc/shorewall-tcrules(5) to do that.</para>
+      PREROUTING entries in <ulink
+      url="shorewall-tcrules.tcml">shorewall-tcrules</ulink>(5) to do
+      that.</para>
     </warning>
 
     <para>The columns in the file are as follows.</para>
@@ -47,19 +49,20 @@
 
         <listitem>
           <para>Outgoing <emphasis>interface</emphasis>. This is usually your
-          internet interface. If ADD_SNAT_ALIASES=Yes in shorewall.conf(5),
+          internet interface. If ADD_SNAT_ALIASES=Yes in <ulink
-          you may add ":" and a <emphasis>digit</emphasis> to indicate that
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), you may add ":"
-          you want the alias added with that name (e.g., eth0:0). This will
+          and a <emphasis>digit</emphasis> to indicate that you want the alias
-          allow the alias to be displayed with ifconfig. <emphasis
+          added with that name (e.g., eth0:0). This will allow the alias to be
-          role="bold">That is the only use for the alias name; it may not
+          displayed with ifconfig. <emphasis role="bold">That is the only use
-          appear in any other place in your Shorewall
+          for the alias name; it may not appear in any other place in your
-          configuratio</emphasis>n.</para>
+          Shorewall configuratio</emphasis>n.</para>
 
           <para>The interface may be qualified by adding the character ":"
           followed by a comma-separated list of destination host or subnet
           addresses to indicate that you only want to change the source IP
           address for packets being sent to those particular destinations.
-          Exclusion is allowed (see shorewall-exclusion(5)).</para>
+          Exclusion is allowed (see <ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
 
           <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
           entry then include the ":" but omit the digit:</para>
@@ -68,16 +71,18 @@
         eth2::192.0.2.32/27</programlisting>
 
           <para>Normally Masq/SNAT rules are evaluated after those for
-          one-to-one NAT (defined in shorewall-nat(5)). If you want the rule
+          one-to-one NAT (defined in <ulink
-          to be applied before one-to-one NAT rules, prefix the interface name
+          url="shorewall-nat.html">shorewall-nat</ulink>(5)). If you want the
-          with "+":</para>
+          rule to be applied before one-to-one NAT rules, prefix the interface
+          name with "+":</para>
 
           <programlisting>        +eth0
         +eth0:192.0.2.32/27
         +eth0:2</programlisting>
 
           <para>This feature should only be required if you need to insert
-          rules in this file that preempt entries in shorewall/nat(5).</para>
+          rules in this file that preempt entries in <ulink
+          url="shorewall-nat.html">shorewall-nat</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -98,7 +103,8 @@
           <para>In order to exclude a address of the specified SOURCE, you may
           append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
           list of IP addresses (host or net) that you wish to exclude (see
-          shorewall-exclusion(5))).</para>
+          <ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).</para>
 
           <para>Example: eth1!192.168.1.4,192.168.32.0/27</para>
 
@@ -118,8 +124,9 @@
         <listitem>
           <para>If you specify an address here, SNAT will be used and this
           will be the source address. If ADD_SNAT_ALIASES is set to Yes or yes
-          in shorewall.conf(5) then Shorewall will automatically add this
+          in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) then
-          address to the INTERFACE named in the first column.</para>
+          Shorewall will automatically add this address to the INTERFACE named
+          in the first column.</para>
 
           <para>You may also specify a range of up to 256 IP addresses if you
           want the SNAT address to be assigned from that range in a

manpages/shorewall-nat.xml

@@ -60,13 +60,14 @@
         <listitem>
           <para>Interface that has the <emphasis
           role="bold">EXTERNAL</emphasis> address. If ADD_IP_ALIASES=Yes in
-          shorewall.conf(5), Shorewall will automatically add the EXTERNAL
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5),
-          address to this interface. Also if ADD_IP_ALIASES=Yes, you may
+          Shorewall will automatically add the EXTERNAL address to this
-          follow the interface name with ":" and a <emphasis>digit</emphasis>
+          interface. Also if ADD_IP_ALIASES=Yes, you may follow the interface
-          to indicate that you want Shorewall to add the alias with this name
+          name with ":" and a <emphasis>digit</emphasis> to indicate that you
-          (e.g., "eth0:0"). That allows you to see the alias with ifconfig.
+          want Shorewall to add the alias with this name (e.g., "eth0:0").
-          <emphasis role="bold">That is the only thing that this name is good
+          That allows you to see the alias with ifconfig. <emphasis
-          for -- you cannot use it anwhere else in your Shorewall
+          role="bold">That is the only thing that this name is good for -- you
+          cannot use it anwhere else in your Shorewall
           configuration.</emphasis></para>
 
           <para>If you want to override ADD_IP_ALIASES=Yes for a particular

manpages/shorewall-netmap.xml

@@ -65,7 +65,8 @@
 
         <listitem>
           <para>The name of a network interface. The interface must be defined
-          in /etc/shorewall-interfaces(5).</para>
+          in <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-params.xml

@@ -33,7 +33,9 @@
 NET_BCAST=130.252.100.255
 NET_OPTIONS=routefilter,norfc1918</programlisting>
 
-    <para>Example shorewall-interfaces(5) file.</para>
+    <para>Example <ulink
+    url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+    file.</para>
 
     <programlisting>ZONE    INTERFACE       BROADCAST       OPTIONS
 net     $NET_IF         $NET_BCAST      $NET_OPTIONS</programlisting>

manpages/shorewall-providers.xml

@@ -71,10 +71,12 @@
         <emphasis>value</emphasis></term>
 
         <listitem>
-          <para>A FWMARK <emphasis>value</emphasis> used in your
+          <para>A FWMARK <emphasis>value</emphasis> used in your <ulink
-          shorewall-tcrules(5) file to direct packets to this provider.</para>
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) file to
+          direct packets to this provider.</para>
 
-          <para>If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value
+          <para>If HIGH_ROUTE_MARKS=Yes in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), then the value
           must be a multiple of 256 between 256 and 65280 or their hexadecimal
           equivalents (0x0100 and 0xff00 with the low-order byte of the value
           being zero). Otherwise, the value must be between 1 and 255. Each
@@ -100,7 +102,8 @@
 
         <listitem>
           <para>The name of the network interface to the provider. Must be
-          listed in shorewall-interfaces(5).</para>
+          listed in <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-route_rules.xml

@@ -22,7 +22,8 @@
     <title>Description</title>
 
     <para>Entries in this file cause traffic to be routed to one of the
-    providers listed in shorewall-providers(5).</para>
+    providers listed in <ulink
+    url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
 
     <para>The columns in the file are as follows.</para>
 

manpages/shorewall-routestopped.xml

@@ -134,7 +134,8 @@
     <note>
       <para>The <emphasis role="bold">source</emphasis> and <emphasis
       role="bold">dest</emphasis> options work best when used in conjunction
-      with ADMINISABSENTMINDED=Yes in shorewall.conf(5).</para>
+      with ADMINISABSENTMINDED=Yes in <ulink
+      url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
     </note>
   </refsect1>
 

manpages/shorewall-rules.xml

@@ -98,8 +98,9 @@
     </note>
 
     <warning>
-      <para>If you specify FASTACCEPT=Yes in shorewall.conf(5) then the
+      <para>If you specify FASTACCEPT=Yes in <ulink
-      <emphasis role="bold">ESTABLISHED</emphasis> and <emphasis
+      url="shorewall.conf.html">shorewall.conf</ulink>(5) then the <emphasis
+      role="bold">ESTABLISHED</emphasis> and <emphasis
       role="bold">RELATED</emphasis> sections must be empty.</para>
     </warning>
 
@@ -263,9 +264,10 @@
                 <para>Do not process any of the following rules for this
                 (source zone,destination zone). If the source and/or
                 destination IP address falls into a zone defined later in
-                shorewall-zones(5) or in a parent zone of the source or
+                <ulink url="shorewall-zones.html">shorewall-zones</ulink>(5)
-                destination zones, then this connection request will be passed
+                or in a parent zone of the source or destination zones, then
-                to the rules defined for that (those) zone(s).</para>
+                this connection request will be passed to the rules defined
+                for that (those) zone(s).</para>
               </listitem>
             </varlistentry>
 
@@ -305,9 +307,10 @@
               <term><emphasis>action</emphasis></term>
 
               <listitem>
-                <para>The name of an <emphasis>action</emphasis> defined in
+                <para>The name of an <emphasis>action</emphasis> declared in
-                shorewall-actions(5) or in
+                <ulink
-                /usr/share/shorewall/actions.std.</para>
+                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
+                in /usr/share/shorewall/actions.std.</para>
               </listitem>
             </varlistentry>
 
@@ -344,7 +347,8 @@
             rewritten.</para>
 
             <para>If the <emphasis role="bold">ACTION</emphasis> names an
-            <emphasis>action</emphasis> defined in shorewall-actions(5) or in
+            <emphasis>action</emphasis> defined in <ulink
+            url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
             /usr/share/shorewall/actions.std then:</para>
 
             <itemizedlist>
@@ -373,7 +377,8 @@
 
             <para>Actions specifying logging may be followed by a log tag (a
             string of alphanumeric characters) which is appended to the string
-            generated by the LOGPREFIX (in shorewall.conf(5)).</para>
+            generated by the LOGPREFIX (in <ulink
+            url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
 
             <para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
             the log prefix generated by the LOGPREFIX setting.</para>
@@ -432,8 +437,8 @@
           bindings to be matched.</para>
 
           <para>You may exclude certain hosts from the set already defined
-          through use of an <emphasis>exclusion</emphasis> (see
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          shorewall-exclusion(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
 
           <para>Examples:</para>
 
@@ -521,11 +526,11 @@
         role="bold">+</emphasis><emphasis>ipset</emphasis>}]</term>
 
         <listitem>
-          <para>Location of Server. May be a zone defined in
+          <para>Location of Server. May be a zone defined in <ulink
-          shorewall-zones(5), $<emphasis role="bold">FW</emphasis> to indicate
+          url="shorewall-zones.html">shorewall-zones</ulink>(5), $<emphasis
-          the firewall itself, <emphasis role="bold">all</emphasis>. <emphasis
+          role="bold">FW</emphasis> to indicate the firewall itself, <emphasis
-          role="bold">all+</emphasis> or <emphasis
+          role="bold">all</emphasis>. <emphasis role="bold">all+</emphasis> or
-          role="bold">none</emphasis>.</para>
+          <emphasis role="bold">none</emphasis>.</para>
 
           <para>When <emphasis role="bold">none</emphasis> is used either in
           the <emphasis role="bold">SOURCE</emphasis> or <emphasis
@@ -544,8 +549,8 @@
           role="bold">SOURCE</emphasis> above.</para>
 
           <para>You may exclude certain hosts from the set already defined
-          through use of an <emphasis>exclusion</emphasis> (see
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          shorewall-exclusion(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
 
           <para>Restrictions:</para>
 

manpages/shorewall-tcrules.xml

@@ -25,9 +25,11 @@
     classifying them for traffic control or policy routing.</para>
 
     <important>
-      <para>Unlike rules in the shorewall-rules(5) file, evaluation of rules
+      <para>Unlike rules in the <ulink
-      in this file will continue after a match. So the final mark for each
+      url="shorewall-rules.html">shorewall-rules</ulink>(5) file, evaluation
-      packet will be the one assigned by the LAST tcrule that matches.</para>
+      of rules in this file will continue after a match. So the final mark for
+      each packet will be the one assigned by the LAST tcrule that
+      matches.</para>
 
       <para>If you use multiple internet providers with the 'track' option, in
       /etc/shorewall/providers be sure to read the restrictions at
@@ -99,7 +101,8 @@
 
                 <listitem>
                   <para>Otherwise, the chain is determined by the setting of
-                  MARK_IN_FORWARD_CHAIN in shorewall.conf(5).</para>
+                  MARK_IN_FORWARD_CHAIN in <ulink
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
                 </listitem>
               </itemizedlist>
 
@@ -168,12 +171,15 @@
 
               <para>When using Shorewall's built-in traffic tool, the
               <emphasis>major</emphasis> class is the device number (the first
-              device in shorewall-tcdevices(5) is major class 1, the second
+              device in <ulink
-              device is major class 2, and so on) and the
+              url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5) is
-              <emphasis>minor</emphasis> class is the class's MARK value in
+              major class 1, the second device is major class 2, and so on)
-              shorewall-tcclasses(5) preceded by the number 1 (MARK 1
+              and the <emphasis>minor</emphasis> class is the class's MARK
-              corresponds to minor class 11, MARK 5 corresponds to minor class
+              value in <ulink
-              15, MARK 22 corresponds to minor class 122, etc.).</para>
+              url="shorewall-tcclasses.html">shorewall-tcclasses</ulink>(5)
+              preceded by the number 1 (MARK 1 corresponds to minor class 11,
+              MARK 5 corresponds to minor class 15, MARK 22 corresponds to
+              minor class 122, etc.).</para>
             </listitem>
 
             <listitem>
@@ -254,8 +260,8 @@
           <para>Example: ~00-A0-C9-15-39-78</para>
 
           <para>You may exclude certain hosts from the set already defined
-          through use of an <emphasis>exclusion</emphasis> (see
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          shorewall-exclusion(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 
@@ -275,8 +281,8 @@
           this column may also contain an interface name.</para>
 
           <para>You may exclude certain hosts from the set already defined
-          through use of an <emphasis>exclusion</emphasis> (see
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
-          shorewall-exclusion(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall-tos.xml

@@ -34,7 +34,8 @@
         role="bold">$FW</emphasis>}</term>
 
         <listitem>
-          <para>Name of a zone declared in shorewall-zones(5), <emphasis
+          <para>Name of a zone declared in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink>(5), <emphasis
           role="bold">all</emphasis> or <emphasis
           role="bold">$FW</emphasis>.</para>
 
@@ -59,7 +60,8 @@
         role="bold">all</emphasis>}</term>
 
         <listitem>
-          <para>Name of a zone declared in shorewall-zones(5) or <emphasis
+          <para>Name of a zone declared in <ulink
+          url="shorewall-zones.html">shorewall-zones</ulink>(5) or <emphasis
           role="bold">all</emphasis>.</para>
 
           <para>If not <emphasis role="bold">all</emphasis>, may optionally be

manpages/shorewall.conf.xml

@@ -151,7 +151,8 @@
 
           <para>If you set the value of either option to "None" then no
           default action will be used and the default action or macro must be
-          specified in shorewall-policy(5).</para>
+          specified in <ulink
+          url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -161,8 +162,9 @@
 
         <listitem>
           <para>This parameter determines whether Shorewall automatically adds
-          the external address(es) in shorewall.nat(5). If the variable is set
+          the external address(es) in <ulink
-          to <emphasis role="bold">Yes</emphasis> or <emphasis
+          url="shorewall-nat.html">shorewall-nat</ulink>(5). If the variable
+          is set to <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis> then Shorewall automatically adds these
           aliases. If it is set to <emphasis role="bold">No</emphasis> or
           <emphasis role="bold">no</emphasis>, you must add these aliases
@@ -186,8 +188,9 @@
 
         <listitem>
           <para>This parameter determines whether Shorewall automatically adds
-          the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to
+          the SNAT ADDRESS in <ulink
-          <emphasis role="bold">Yes</emphasis> or <emphasis
+          url="shorewall-masq.html">shorewall-masq</ulink>(5). If the variable
+          is set to <emphasis role="bold">Yes</emphasis> or <emphasis
           role="bold">yes</emphasis> then Shorewall automatically adds these
           addresses. If it is set to <emphasis role="bold">No</emphasis> or
           <emphasis role="bold">no</emphasis>, you must add these addresses
@@ -212,12 +215,14 @@
         <listitem>
           <para>The value of this variable affects Shorewall's stopped state.
           When ADMINISABSENTMINDES=No, only traffic to/from those addresses
-          listed in shorewall-routestopped(5) is accepted when Shorewall is
+          listed in <ulink
-          stopped. When ADMINISABSENTMINDED=Yes, in addition to traffic
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          to/from addresses in shorewall-routestopped(5), connections that
+          is accepted when Shorewall is stopped. When ADMINISABSENTMINDED=Yes,
-          were active when Shorewall stopped continue to work and all new
+          in addition to traffic to/from addresses in <ulink
-          connections from the firewall system itself are allowed. If this
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5),
-          variable is not set or is given the empty value then
+          connections that were active when Shorewall stopped continue to work
+          and all new connections from the firewall system itself are allowed.
+          If this variable is not set or is given the empty value then
           ADMINISABSENTMINDED=No is assumed.</para>
         </listitem>
       </varlistentry>
@@ -301,8 +306,9 @@
           set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an
           /etc/shorewall/tcstart file. That way, your traffic shaping rules
           can still use the “fwmark” classifier based on packet marking
-          defined in shorewall-tcrules(5). If not specified, CLEAR_TC=Yes is
+          defined in <ulink
-          assumed.</para>
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5). If not
+          specified, CLEAR_TC=Yes is assumed.</para>
         </listitem>
       </varlistentry>
 
@@ -345,8 +351,9 @@
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
 
         <listitem>
-          <para>Users with a large static black list (shorewall-blacklist(5))
+          <para>Users with a large static black list (<ulink
-          may want to set the DELAYBLACKLISTLOAD option to <emphasis
+          url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)) may
+          want to set the DELAYBLACKLISTLOAD option to <emphasis
           role="bold">Yes</emphasis>. When DELAYBLACKLISTLOAD=Yes, Shorewall
           will enable new connections before loading the blacklist rules.
           While this may allow connections from blacklisted hosts to slip by
@@ -400,7 +407,8 @@
           <para>If you set FASTACCEPT=Yes, then ESTABLISHED/RELEATED packets
           are accepted early in the INPUT, FORWARD and OUTPUT chains. If you
           set FASTACCEPT=Yes then you may not include rules in the ESTABLISHED
-          or RELATED sections of shorewall-rules(5).</para>
+          or RELATED sections of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -410,8 +418,9 @@
 
         <listitem>
           <para>Prior to version 3.2.0, it was not possible to use connection
-          marking in /etc/shorewall/tcrules if you have a multi-ISP
+          marking in <ulink
-          configuration that uses the track option.</para>
+          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) if you
+          have a multi-ISP configuration that uses the track option.</para>
 
           <para>Beginning with release 3.2.0, you may now set
           HIGH_ROUTE_MARKS=Yes in to effectively divide the packet mark and
@@ -457,10 +466,11 @@
           differently with respect to policies.</para>
 
           <para>Subzones are defined by following their name with ":" and a
-          list of parent zones (in /etc/shorewall/zones). Normally, you want
+          list of parent zones (in <ulink
-          to have a set of special rules for the subzone and if a connection
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)). Normally,
-          doesn't match any of those subzone-specific rules then you want the
+          you want to have a set of special rules for the subzone and if a
-          parent zone rules and policies to be applied. With
+          connection doesn't match any of those subzone-specific rules then
+          you want the parent zone rules and policies to be applied. With
           IMPLICIT_CONTINUE=Yes, that happens automatically.</para>
 
           <para>If IMPLICIT_CONTINUE=No or if IMPLICIT_CONTINUE is not set,
@@ -553,8 +563,8 @@
           <emphasis role="bold">No</emphasis> which sets both of the above to
           zero. If you do not enable martian logging for all interfaces, you
           may still enable it for individual interfaces using the <emphasis
-          role="bold">logmartians</emphasis> interface option in
+          role="bold">logmartians</emphasis> interface option in <ulink
-          shorewall-interfaces(5).</para>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -726,8 +736,10 @@
 
         <listitem>
           <para>The performance of configurations with a large numbers of
-          entries in /etc/shorewall/maclist can be improved by setting the
+          entries in <ulink
-          MACLIST_TTL variable in shorewall.conf(5).</para>
+          url="shorewall-maclist.html">shorewall-maclist</ulink>(5) can be
+          improved by setting the MACLIST_TTL variable in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
 
           <para>If your iptables and kernel support the "Recent Match" (see
           the output of "shorewall check" near the top), you can cache the
@@ -736,13 +748,14 @@
 
           <para>When a new connection arrives from a 'maclist' interface, the
           packet passes through then list of entries for that interface in
-          shorewall-maclist(5). If there is a match then the source IP address
+          <ulink url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-          is added to the 'Recent' set for that interface. Subsequent
+          there is a match then the source IP address is added to the 'Recent'
-          connection attempts from that IP address occurring within
+          set for that interface. Subsequent connection attempts from that IP
-          $MACLIST_TTL seconds will be accepted without having to scan all of
+          address occurring within $MACLIST_TTL seconds will be accepted
-          the entries. After $MACLIST_TTL from the first accepted connection
+          without having to scan all of the entries. After $MACLIST_TTL from
-          request from an IP address, the next connection request from that IP
+          the first accepted connection request from an IP address, the next
-          address will be checked against the entire list.</para>
+          connection request from that IP address will be checked against the
+          entire list.</para>
 
           <para>If MACLIST_TTL is not specified or is specified as empty (e.g,
           MACLIST_TTL="" or is specified as zero then 'maclist' lookups will
@@ -913,16 +926,18 @@
         <listitem>
           <para>During <emphasis role="bold">shorewall star</emphasis>t, IP
           addresses to be added as a consequence of ADD_IP_ALIASES=Yes and
-          ADD_SNAT_ALIASES=Yes are quietly deleted when shorewall-nat(5) and
+          ADD_SNAT_ALIASES=Yes are quietly deleted when <ulink
-          shorewall-masq(5) are processed then are re-added later. This is
+          url="shorewall-nat.html">shorewall-nat</ulink>(5) and <ulink
-          done to help ensure that the addresses can be added with the
+          url="shorewall-masq.html">shorewall-masq</ulink>(5) are processed
-          specified labels but can have the undesirable side effect of causing
+          then are re-added later. This is done to help ensure that the
-          routes to be quietly deleted. When RETAIN_ALIASES is set to Yes,
+          addresses can be added with the specified labels but can have the
-          existing addresses will not be deleted. Regardless of the setting of
+          undesirable side effect of causing routes to be quietly deleted.
-          RETAIN_ALIASES, addresses added during <emphasis
+          When RETAIN_ALIASES is set to Yes, existing addresses will not be
-          role="bold">shorewall start</emphasis> are still deleted at a
+          deleted. Regardless of the setting of RETAIN_ALIASES, addresses
-          subsequent <emphasis role="bold">shorewall stop</emphasis> or
+          added during <emphasis role="bold">shorewall start</emphasis> are
-          <emphasis role="bold">shorewall restart</emphasis>.</para>
+          still deleted at a subsequent <emphasis role="bold">shorewall
+          stop</emphasis> or <emphasis role="bold">shorewall
+          restart</emphasis>.</para>
         </listitem>
       </varlistentry>
 
@@ -1018,8 +1033,10 @@
 
         <listitem>
           <para>Specifies the logging level for smurf packets (see the
-          nosmurfs option in /etc/shorewall/interfaces). If set to the empty
+          nosmurfs option in <ulink
-          value ( SMURF_LOG_LEVEL="" ) then smurfs are not logged.</para>
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)). If
+          set to the empty value ( SMURF_LOG_LEVEL="" ) then smurfs are not
+          logged.</para>
         </listitem>
       </varlistentry>
 
@@ -1081,8 +1098,8 @@
         <listitem>
           <para>Normally, Shorewall tries to protect users from themselves by
           preventing PREROUTING and OUTPUT tcrules from being applied to
-          packets that have been marked by the 'track' option in
+          packets that have been marked by the 'track' option in <ulink
-          shorewall-providers(5).</para>
+          url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
 
           <para>If you know what you are doing, you can set TC_EXPERT=Yes and
           Shorewall will not include these cautionary checks.</para>
@@ -1099,11 +1116,12 @@
         <listitem>
           <para>Determines the disposition of TCP packets that fail the checks
           enabled by the <emphasis role="bold">tcpflags</emphasis> interface
-          option (see shorewall-interfaces(5)) and must have a value of ACCEPT
+          option (see <ulink
-          (accept the packet), REJECT (send an RST response) or DROP (ignore
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
-          the packet). If not set or if set to the empty value (e.g.,
+          must have a value of ACCEPT (accept the packet), REJECT (send an RST
-          TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is
+          response) or DROP (ignore the packet). If not set or if set to the
-          assumed.</para>
+          empty value (e.g., TCP_FLAGS_DISPOSITION="") then
+          TCP_FLAGS_DISPOSITION=DROP is assumed.</para>
         </listitem>
       </varlistentry>
 

manpages/shorewall.xml

@@ -443,7 +443,8 @@
     the command produces. They consist of a sequence of the letters <emphasis
     role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
     options are omitted, the amount of output is determined by the setting of
-    the VERBOSITY parameter in shorewall.conf(5). Each <emphasis
+    the VERBOSITY parameter in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
     role="bold">v</emphasis> adds one to the effective verbosity and each
     <emphasis role="bold">q</emphasis> subtracts one from the effective
     VERBOSITY.</para>
@@ -463,8 +464,9 @@
           with VPN's.</para>
 
           <para>The <emphasis>interface</emphasis> argument names an interface
-          defined in the shorewall-interfaces(5) file. A
+          defined in the <ulink
-          <emphasis>host-list</emphasis> is comma-separated list whose
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are:</para>
 
           <programlisting>        A host or network address
@@ -541,8 +543,9 @@
           role="bold">add</emphasis> command.</para>
 
           <para>The <emphasis>interface</emphasis> argument names an interface
-          defined in the shorewall-interfaces(5) file. A
+          defined in the <ulink
-          <emphasis>host-list</emphasis> is comma-separated list whose
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
+          file. A <emphasis>host-list</emphasis> is comma-separated list whose
           elements are:</para>
 
           <programlisting>        A host or network address
@@ -605,7 +608,8 @@
         <listitem>
           <para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and
           /var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
-          given then the file specified by RESTOREFILE in shorewall.conf(5) is
+          given then the file specified by RESTOREFILE in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
           assumed.</para>
         </listitem>
       </varlistentry>
@@ -703,11 +707,12 @@
         <term><emphasis role="bold">logwatch</emphasis></term>
 
         <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in
+          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          shorewall.conf(5) and produces an audible alarm when new Shorewall
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) and produces an
-          messages are logged. The <emphasis role="bold">-m</emphasis> option
+          audible alarm when new Shorewall messages are logged. The <emphasis
-          causes the MAC address of each packet source to be displayed if that
+          role="bold">-m</emphasis> option causes the MAC address of each
-          information is available.</para>
+          packet source to be displayed if that information is
+          available.</para>
         </listitem>
       </varlistentry>
 
@@ -806,8 +811,8 @@
           file in /var/lib/shorewall created using <emphasis
           role="bold">shorewall save</emphasis>; if no
           <emphasis>filename</emphasis> is given then Shorewall will be
-          restored from the file specified by the RESTOREFILE option in
+          restored from the file specified by the RESTOREFILE option in <ulink
-          shorewall.conf(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -852,8 +857,8 @@
           <emphasis role="bold">shorewall restore</emphasis> and <emphasis
           role="bold">shorewall -f start</emphasis> commands. If
           <emphasis>filename</emphasis> is not given then the state is saved
-          in the file specified by the RESTOREFILE option in
+          in the file specified by the RESTOREFILE option in <ulink
-          shorewall.conf(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
         </listitem>
       </varlistentry>
 
@@ -998,9 +1003,9 @@
           will look in that <emphasis>directory</emphasis> first for
           configuration files.If <emphasis role="bold">-f</emphasis> is
           specified, the saved configuration specified by the RESTOREFILE
-          option in shorewall.conf(5) will be restored if that saved
+          option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)
-          configuration exists and has been modified more recently than the
+          will be restored if that saved configuration exists and has been
-          files in /etc/shorewall.</para>
+          modified more recently than the files in /etc/shorewall.</para>
         </listitem>
       </varlistentry>
 
@@ -1009,11 +1014,14 @@
 
         <listitem>
           <para>Stops the firewall. All existing connections, except those
-          listed in shorewall-routestopped(5) or permitted by the
+          listed in <ulink
-          ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          only new traffic permitted through the firewall is from systems
+          or permitted by the ADMINISABSENTMINDED option in <ulink
-          listed in shorewall-routestopped(5) or by
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
-          ADMINISABSENTMINDED.</para>
+          The only new traffic permitted through the firewall is from systems
+          listed in <ulink
+          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
+          or by ADMINISABSENTMINDED.</para>
         </listitem>
       </varlistentry>