Large cleanup patch from Tuomo Soini

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2449 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/accounting

@@ -49,10 +49,11 @@
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
 #			number, or "ipp2p"
 #
-#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p" then
+#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p"
-#			this column must contain an ipp2p option ("iptables -m 
+#			then this column must contain an ipp2p option
-#			ipp2p --help") without the leading "--". If no option
+#			("iptables -m ipp2p --help") without the leading
-#			is given in this column, "ipp2p" is assumed.
+#			"--". If no option is given in this column, "ipp2p"
+#			is assumed.
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
@@ -91,7 +92,7 @@
 # Please see http://shorewall.net/Accounting.html for examples and
 # additional information about how to use this file.
 #
+#####################################################################################
 #ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #							PORT		PORT	GROUP
-#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/action.Drop

@@ -1,20 +1,23 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/action.Drop
+# Shorewall version 2.6 - Drop Action
+#
+# /usr/share/shorewall/action.Drop
 #
 #	The default DROP common rules
 #
-# This action is invoked before a DROP policy is enforced. The purpose of the action
+#	This action is invoked before a DROP policy is enforced. The purpose
-# is:
+#	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   Otherwise, you may experience problems establishing connections with
+#	   DROP. Otherwise, you may experience problems establishing
-#	   servers that use auth.
+#	   connections with servers that use auth.
 #	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-######################################################################################
+#
+###############################################################################
 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
@@ -29,8 +32,8 @@ dropBcast
 #
 AllowICMPs	-	-	icmp
 #
-# Drop packets that in the INVALID state -- these are usually ICMP packets and just
+# Drop packets that in the INVALID state -- these are usually ICMP packets
-# confuse people when they appear in the log.
+# and just confuse people when they appear in the log.
 #
 dropInvalid
 #
@@ -43,7 +46,8 @@ DropUPnP
 #
 dropNotSyn	-	-	tcp
 #
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/action.Reject

@@ -1,24 +1,27 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/action.Reject
+# Shorewall version 2.6 - Reject Action
+#
+# /usr/share/shorewall/action.Reject
 #
 #	The default REJECT action common rules
 #
-# This action is invoked before a REJECT policy is enforced. The purpose of the action
+#	This action is invoked before a REJECT policy is enforced. The purpose
-# is:
+#	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
 #	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-######################################################################################
+###############################################################################
 #TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' REJECT
 #
 Auth/REJECT
 #
-# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
 #
 dropBcast
 #
@@ -26,8 +29,9 @@ dropBcast
 #
 AllowICMPs	-	-	icmp
 #
-# Drop packets that in the INVALID state -- these are usually ICMP packets and just
+# Drop packets that in the INVALID state -- these are usually ICMP packets
-# confuse people when they appear in the log (these ICMPs cannot be rejected).
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
 #
 dropInvalid
 #
@@ -40,7 +44,8 @@ DropUPnP
 #
 dropNotSyn	-	-	tcp
 #
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/action.template

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /etc/shorewall/action.template
+# Shorewall version 2.6 - Template Action
+#
+# /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form
 #	/etc/shorewall/action.<action-name> where <action> is an
@@ -31,9 +33,10 @@
 #					    and return to the point where the
 #					    action was invoked.
 #				<action> -- An <action> defined in
-#					    /etc/shorewall/actions. The <action>
+#					    /etc/shorewall/actions.
-#					    must appear in that file BEFORE the
+#					    The <action> must appear in that
-#					    one being defined in this file.
+#					    file BEFORE the one being defined
+#					    in this file.
 #
 #			The TARGET may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
@@ -95,9 +98,10 @@
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., eth1:192.168.1.5).
 #
-#	DEST		Location of destination host. Same as above with the exception that
+#	DEST		Location of destination host. Same as above with
-#			MAC addresses are not allowed and that you cannot specify
+#			the exception that MAC addresses are not allowed and
-#                       an ipset name in both the SOURCE and DEST columns.
+#			that you cannot specify an ipset name in both the
+#			SOURCE and DEST columns.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
@@ -173,7 +177,7 @@
 #					#of the 'kids' group
 #				+upnpd	#program named upnpd
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
+#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/actions

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /etc/shorewall/actions
+# Shorewall version 2.6 - Actions File
+#
+# /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules
 #	(/etc/shorewall/rules). You define the iptables rules to
@@ -24,9 +26,8 @@
 #	If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
 #	itself, the associated policy will have no common action.
 #
-#	Please see http://shorewall.net/Actions.html for additional
+# Please see http://shorewall.net/Actions.html for additional information.
-#	information.
 #
+###############################################################################
 #ACTION
-
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/actions.std

@@ -1,27 +1,28 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/actions.std
+# Shorewall version 2.6 - Actions.std File
+#
+# /usr/share/shorewall/actions.std
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Builtin Actions are:
 #
-#    allowBcast		#Silently Allow Broadcast/multicast
+#    allowBcast		# Silently Allow Broadcast/multicast
-#    dropBcast          #Silently Drop Broadcast/multicast
+#    dropBcast		# Silently Drop Broadcast/multicast
-#    dropNotSyn         #Silently Drop Non-syn TCP packets
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn          #Silently Reject Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	#Silently Drop packets that are in the INVALID
+#    dropInvalid	# Silently Drop packets that are in the INVALID
-#                       #conntrack state.
+#			# conntrack state.
-#    allowInvalid	#Accept packets that are in the INVALID
+#    allowInvalid	# Accept packets that are in the INVALID
-#			#conntrack state.
+#			# conntrack state.
-#    allowoutUPnP       #Allow traffic from local command 'upnpd'
+#    allowoutUPnP	# Allow traffic from local command 'upnpd'
-#    allowinUPnP        #Allow UPnP inbound (to firewall) traffic
+#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-#    forwardUPnP	#Allow traffic that upnpd has redirected from
+#    forwardUPnP	# Allow traffic that upnpd has redirected from
-#			#'upnp' interfaces.
+#			# 'upnp' interfaces.
 #
+###############################################################################
 #ACTION
-
+Drop:DROP		# Common Action for DROP policy
-Drop:DROP	   #Common Action for DROP policy
+Reject:REJECT		# Common Action for REJECT policy
-Reject:REJECT      #Common Action for REJECT policy
-
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/blacklist

@@ -1,9 +1,10 @@
 #
-# Shorewall 2.6 -- Blacklist File
+# Shorewall version 2.6 - Blacklist File
 #
 # /etc/shorewall/blacklist
 #
-# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
+#	This file contains a list of IP addresses, MAC addresses and/or
+#	subnetworks.
 #
 # Columns are:
 #
@@ -25,9 +26,10 @@
 #			  of port numbers or service names from /etc/services.
 #
 #	When a packet arrives on an interface that has the 'blacklist' option
-# specified in /etc/shorewall/interfaces, its source IP address is checked
+#	specified in /etc/shorewall/interfaces, its source IP address is
-# against this file and disposed of according to the BLACKLIST_DISPOSITION and
+#	checked against this file and disposed of according to the
-# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
+#	BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
+#	/etc/shorewall/shorewall.conf
 #
 #	If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
 #	the protocol (and one of the ports if PORTS supplied) are blocked.
@@ -52,5 +54,3 @@
 ###############################################################################
 #ADDRESS/SUBNET		PROTOCOL	PORT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-

Shorewall/continue

@@ -1,8 +1,14 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/continue
+# Shorewall version 2.6 - Continue File
+#
+#  /etc/shorewall/continue
 #
 #	Add commands below that you want to be executed after shorewall has
-# cleared any existing Netfilter rules and has enabled existing connections.
+#	cleared any existing Netfilter rules and has enabled existing
+#	connections.
 #
-# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+# For additional information, see
+# http://shorewall.net/shorewall_extension_scripts.htm
 #
+###############################################################################
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/ecn

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 - /etc/shorewall/ecn
+# Shorewall version 2.6 - Ecn File
+#
+# /etc/shorewall/ecn
 #
 #	Use this file to list the destinations for which you want to
 #	disable ECN.
@@ -17,6 +19,7 @@
 #			  are also permitted.
 #
 # For additional information, see http://shorewall.net/Documentation.htm#ECN
-##############################################################################
+#
+###############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/hosts

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 - /etc/shorewall/hosts
+# Shorewall version 2.6 - Hosts file
+#
+# /etc/shorewall/hosts
 #
 #	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@@ -37,7 +39,8 @@
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
 #			   host or network IP or a range.
-#			   See http://www.shorewall.net/Bridge.html for details.
+#			   See http://www.shorewall.net/Bridge.html
+#			   for details.
 #			e) The name of an ipset (preceded by "+").
 #
 #		  Examples:
@@ -60,11 +63,12 @@
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #
-#			routeback    - Shorewall should set up the infrastructure
+#			routeback    - Shorewall should set up the
-#				       to pass packets from this/these
+#				       infrastructure to pass packets
-#				       address(es) back to themselves. This is
+#				       from this/these address(es) back
-#				       necessary if hosts in this group use the
+#				       to themselves. This is necessary if
-#				       services of a transparent proxy that is
+#				       hosts in this group use the services
+#				       of a transparent proxy that is
 #				       a member of the group or if DNAT is used
 #				       to send requests originating from this
 #				       group to a server in the group.
@@ -124,10 +128,12 @@
 #				       kernel 2.6 ipsec SA. Note that if the
 #				       zone named in the ZONE column is
 #				       specified as an IPSEC zone in the
-#				       /etc/shorewall/zones file then you do NOT
+#				       /etc/shorewall/zones file then you
-#				       need to specify the 'ipsec' option here.
+#				       do NOT need to specify the 'ipsec'
+#				       option here.
 #
 # For additional information, see http://shorewall.net/Documentation.htm#Hosts
 #
+###############################################################################
 #ZONE	HOST(S)					OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

Shorewall/init

@@ -1,8 +1,13 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/init
+# Shorewall version 2.4 - Init File
+#
+# /etc/shorewall/init
 #
 #	Add commands below that you want to be executed at the beginning of
 #	a "shorewall start" or "shorewall restart" command.
 #
-# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+# For additional information, see
+# http://shorewall.net/shorewall_extension_scripts.htm
 #
+###############################################################################
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/initdone

@@ -1,9 +1,14 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/initdone
+# Shorewall version 2.6 - Initdone File
+#
+# /etc/shorewall/initdone
 #
 #	Add commands below that you want to be executed during
 #	"shorewall start" or "shorewall restart" commands at the point where
 #	Shorewall has not yet added any perminent rules to the builtin chains.
 #
-# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+# For additional information, see
+# http://shorewall.net/shorewall_extension_scripts.htm
 #
+###############################################################################
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/interfaces

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.6 -- Interfaces File
+# Shorewall version 2.6 - Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@@ -118,9 +118,10 @@
 #				       from this interface, even if
 #				       NEWNOTSYN=No has been specified in
 #				       /etc/shorewall/shorewall.conf. In other
-#				       words, packets coming in on this interface
+#				       words, packets coming in on this
-#				       are processed as if NEWNOTSYN=Yes had been
+#				       interface are processed as if
-#				       specified in /etc/shorewall/shorewall.conf.
+#				       NEWNOTSYN=Yes had been specified in
+#					/etc/shorewall/shorewall.conf.
 #
 #				       This option has no effect if
 #				       NEWNOTSYN=Yes.
@@ -133,9 +134,9 @@
 #				       interface option unnecessary).
 #
 #			routeback    - If specified, indicates that Shorewall
-#				       should include rules that allow filtering
+#				       should include rules that allow
-#				       traffic arriving on this interface back
+#				       filtering traffic arriving on this
-#				       out that same interface.
+#				       interface back out that same interface.
 #
 #			arp_filter   - If specified, this interface will only
 #				       respond to ARP who-has requests for IP
@@ -190,8 +191,8 @@
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
-#			upnp         - Incoming requests from this interface may
+#			upnp	     - Incoming requests from this interface
-#				       be remapped via UPNP (upnpd).
+#				       may be remapped via UPNP (upnpd).
 #			
 #			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
 #				 INTERNET INTERFACE.
@@ -231,9 +232,9 @@
 #
 #			net	ppp0	-
 #
-# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
+# For additional information, see
+# http://shorewall.net/Documentation.htm#Interfaces
 #
-##############################################################################
+###############################################################################
 #ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
-#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/ipsec

@@ -4,4 +4,4 @@
 # /etc/shorewall/zones file.
 #
 # See the IPSECFILE option in shorewall.conf for further information.
-
+#

Shorewall/maclist

@@ -1,13 +1,13 @@
 #
-# Shorewall 2.6 - MAC list file
+# Shorewall version 2.6 - Maclist file
+#
+# /etc/shorewall/maclist
 #
 #	This file is used to define the MAC addresses and optionally their
 #	associated IP addresses to be allowed to use the specified interface.
 #	The feature is enabled by using the maclist option in the interfaces
 #	or hosts configuration file.
 #
-# /etc/shorewall/maclist
-#
 # Columns are:
 #
 #	INTERFACE	Network interface to a host. If the interface
@@ -26,6 +26,6 @@
 #
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
-##############################################################################
+###############################################################################
 #INTERFACE		MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/macro.AllowICMPs

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs
+# Shorewall version 2.6 - AllowICMPs Macro
+#
+# /usr/share/shorewall/macro.AllowICMPs
 #
 #	ACCEPT needed ICMP types
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-#
 ACCEPT	-	-	icmp	fragmentation-needed
 ACCEPT	-	-	icmp	time-exceeded
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Amanda

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.Amanda
+# Shorewall version 2.6 - Amanda Macro
+#
+# /usr/share/shorewall/macro.Amanda
 #
 #	This macro handles connections to the AMANDA backup system.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	10080
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Auth

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Auth
+# Shorewall version 2.6 - Auth Macro
+#
+# /usr/share/shorewall/macro.Auth
 #
 #	This macro handles Auth (identd) traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	113
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.BitTorrent

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.BitTorrent
+# Shorewall version 2.6 - BitTorrent Macro
+#
+# /usr/share/shorewall/macro.BitTorrent
 #
 #	This macro handles BitTorrent traffic.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	6881:6889
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.CVS

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.CVS
+# Shorewall version 2.6 - CVS Macro
+#
+# /usr/share/shorewall/macro.CVS
 #
 #	This macro handles connections to the CVS pserver.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	2401
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.DNS

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.DNS
+# Shorewall version 2.6 - DNS Macro
+#
+# /usr/share/shorewall/macro.DNS
 #
 #	This macro handles DNS traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Distcc

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.Distcc
+# Shorewall version 2.6 - Distoc Macro
+#
+# /usr/share/shorewall/macro.Distcc
 #
 #	This macro handles connections to the Distributed Compiler
 #	service.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	3632
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.DropDNSrep

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep
+# Shorewall version 2.6 - DropDNSrep Macro
+#
+# /usr/share/shorewall/macro.DropDNSrep
 #
 #	This macro silently drops DNS UDP replies
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 DROP	-	-	udp	-	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.DropUPnP

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP
+# Shorewall version 2.6 - DropUPnP Macro
+#
+# /usr/share/shorewall/macro.DropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 DROP	-	-	udp	1900
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Edonkey

@@ -1,31 +1,35 @@
 #
-# Shorewall macro.Edonkey
+# Shorewall version 2.6 - Edonkey Macro
+#
+# /usr/share/shorewall/macro.Edonkey
 #
 #	This macro handles Edonkey traffic.
 #
-######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
-PARAM	 -		-		tcp	4662
-PARAM	 -		-		udp	4665
 #
 #	http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
-# says to use udp 5737 rather than 4665
+#	says to use udp 5737 rather than 4665.
 #
 #	http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
-# 4661 TCP (outgoing)
-#    Port, on which a server listens for connection (defined by server). 
-#4665 UDP (outgoing)
-#    used for global server searches and global source queries. This is
-#always Server TCP port (in this case 4661) + 4. 
-#4662 TCP (outgoing and incoming)
-#    Client to client transfers. 
-#4672 UDP (outgoing and incoming)
-#    Extended eMule protocol, Queue Rating, File Reask Ping 
-#4711 TCP
-#    WebServer listening port. 
-#4712 TCP
-#    External Connection port. Used to communicate aMule with other
-#applications such as aMule WebServer or aMuleCMD.
 #
+#	4661 TCP (outgoing) Port, on which a server listens for connection
+#	(defined by server).
+#
+#	4665 UDP (outgoing) used for global server searches and global source
+#	queries. This is always Server TCP port (in this case 4661) + 4.
+#
+#	4662 TCP (outgoing and incoming) Client to client transfers.
+#
+#	4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
+#	Rating, File Reask Ping
+#
+#	4711 TCP WebServer listening port.
+#
+#	4712 TCP External Connection port. Used to communicate aMule with other
+#	applications such as aMule WebServer or aMuleCMD.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	4662
+PARAM	-	-	udp	4665
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.FTP

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.FTP
+# Shorewall version 2.6 - FTP Macro
+#
+# /usr/share/shorewall/macro.FTP
 #
 #	This macro handles FTP traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	21
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Gnutella

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.Gnutella
+# Shorewall version 2.6 - Gnutella Macro
+#
+# /usr/share/shorewall/macro.Gnutella
 #
 #	This macro handles gnutella traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.ICQ

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.ICQ
+# Shorewall version 2.6 - ICQ Macro
+#
+# /usr/share/shorewall/macro.ICQ
 #
 #	This macro handles ICQ traffic.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	5190
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.IMAP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.IMAP
+# Shorewall version 2.6 - IMAP Macro
+#
+# /usr/share/shorewall/macro.IMAP
 #
 #	This macro handles IMAP traffic (secure and insecure):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	143	#Unsecure IMAP	
+PARAM	-	-	tcp	143	# Unsecure IMAP	
-PARAM	 -		-		tcp	993	#Secure IMAP
+PARAM	-	-	tcp	993	# Secure IMAP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.LDAP

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.LDAP
+# Shorewall version 2.6 - LDAP Macro
+#
+# /usr/share/shorewall/macro.LDAP
 #
 #	This macro handles LDAP traffic (secure and insecure)
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	389
 PARAM	-	-	tcp	636
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.MySQL

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.MySQL
+# Shorewall version 2.6 - MySQL Macro
+#
+# /usr/share/shorewall/macro.MySQL
 #
 #	This action macro.handles connections to the MySQL server.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	3306
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.NNTP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.NNTP
+# Shorewall version 2.6 NNTP Macro
+#
+# /usr/share/shorewall/macro.NNTP
 #
 #	This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	119
 PARAM	-	-	tcp	563
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.NTP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.NTP
+# Shorewall version 2.6 - NTP Macro
+#
+# /usr/share/shorewall/macro.NTP
 #
 #	This macro handles NTP traffic (ntpd).
+#	For broadcast NTP traffic, use NTPbrd Macro.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)    DEST         LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	123
-PARAM	 -		-		udp	1024:	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.NTPbrd

@@ -0,0 +1,18 @@
+#
+# Shorewall version 2.6 - NTPbrd Macro
+#
+# /usr/share/shorewall/macro.NTPbrd
+#
+#	This macro handles NTP traffic (ntpd) including replies to Broadcast
+#	NTP traffic.
+#
+#	It is recommended only to use this where the source host is trusted -
+#	otherwise it opens up a large hole in your firewall because
+#	Netfilter doesn't track connections for broadcast traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-		-		udp	123
+PARAM	-		-		udp	1024:	123
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.PCA

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.PCA
+# Shorewall version 2.6 - PCA Macro
+#
+# /usr/share/shorewall/macro.PCA
 #
 #	This macro handles PCAnywere (tm)
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	5632
 PARAM	-	-	tcp	5631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.POP3

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.POP3
+# Shorewall version 2.6 - POP3 Macro
+#
+# /usr/share/shorewall/macro.POP3
 #
 #	This macro handles POP3 traffic (secure and insecure):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)    DEST         LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	110	#Unsecure POP3	
+PARAM	-	-	tcp	110	# Unsecure POP3	
-PARAM	 -		-		tcp	995	#Secure POP3
+PARAM	-	-	tcp	995	# Secure POP3
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Ping

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Ping
+# Shorewall version 2.6 - Ping Macro
+#
+# /usr/share/shorewall/macro.Ping
 #
 #	This macro handles 'ping' requests.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	icmp	8
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.PostgreSQL

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.PostgreSQL
+# Shorewall version 2.6 - PostgreSQL Macro
+#
+# /usr/share/shorewall/macro.PostgreSQL
 #
 #	This macro handles connections to the PostgreSQL server.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	5432
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Rdate

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Rdate
+# Shorewall version 2.6 - Rdate Macro
+#
+# /usr/share/shorewall/macro.Rdate
 #
 #	This macro handles remote time retrieval (rdate).
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	37
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Rsync

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.Rsync
+# Shorewall version 2.6 - Rsync Macro
+#
+# /usr/share/shorewall/macro.Rsync
 #
 #	This macro handles connections to the rsync server.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	873
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SMB

@@ -1,12 +1,14 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SMB
+# Shorewall version 2.6 - SMB Macro
+#
+# /usr/share/shorewall/macro.SMB
 #
 #	Handle Microsoft SMB traffic. You need to invoke this macro in
 #	both directions.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	135,445
 PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137

Shorewall/macro.SMBswat

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.SMBswat
+# Shorewall version 2.6 - SMBswat Macro
+#
+# /usr/share/shorewall/macro.SMBswat
 #
 #	This macro handles connections to the Samba Web Administration
 #	Tool (SWAT).
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	901
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SMTP

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SMTP
+# Shorewall version 2.6 - SMTP Macro
+#
+# /usr/share/shorewall/macro.SMTP
 #
 #	This macro handles SMTP (email) traffic.
 #
@@ -8,8 +10,8 @@
 #	reading of email via POP3 or IMAP. For those you need to use
 #	the POP3 or IMAP macros.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	25
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SNMP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SNMP
+# Shorewall version 2.6 - SNMP Macro
+#
+# /usr/share/shorewall/macro.SNMP
 #
 #	This macro accepts SNMP traffic (including traps):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	161:162	
 PARAM	-	-	tcp	161
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SPAMD

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.SPAMD
+# Shorewall version 2.6 - SPAMD Macro
+#
+# /usr/share/shorewall/macro.SPAMD
 #
 #	This macro handles Spam Assassin SPAMD traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	783
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SSH

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SSH
+# Shorewall version 2.6 - SSH Macro
+#
+# /usr/share/shorewall/macro.SSH
 #
 #	This macro handles secure shell (SSH) traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	22
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SVN

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.SVN
+# Shorewall version 2.6 - SVN Macro
 #
-#	This macro handles connections to the Subversion server.
+# /usr/share/shorewall/macro.SVN
 #
-################################################################################
+#	This macro handles connections to the Subversion (SVN) server.
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#
-#                       	        	PORT		PORT(S)    LIMIT
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	3690
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Submission

@@ -0,0 +1,12 @@
+#
+# Shorewall version 2.6 - Submission Macro
+#
+# /usr/share/shorewall/macro.Submission
+#
+#	This macro handles mail message submission traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	587
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Syslog

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.Syslog
+# Shorewall version 2.6 - Syslog Macro
+#
+# /usr/share/shorewall/macro.Syslog
 #
 #	This macro handles syslog UDP traffic.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	udp	514
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Telnet

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Telnet
+# Shorewall version 2.6 - Telnet Macro
+#
+# /usr/share/shorewall/macro.Telnet
 #
 #	This macro handles Telnet traffic. For traffic over the
 #	internet, telnet is inappropriate; use SSH instead
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	23
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Trcrt

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt
+# Shorewall version 2.6 -Trcrt Macro
+#
+# /usr/share/shorewall/macro.Trcrt
 #
 #	This macro handles Traceroute (for up to 30 hops):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               udp	33434:33524 #UDP Traceroute
+PARAM	-	-	udp	33434:33524 # UDP Traceroute
-PARAM	 -		-		icmp	8	    #ICMP Traceroute
+PARAM	-	-	icmp	8	    # ICMP Traceroute
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.VNC

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.VNC
+# Shorewall version 2.6 - VNC Macro
+#
+# /usr/share/shorewall/macro.VNC
 #
 #	This macro handles VNC traffic for VNC display's 0 - 9.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	5900:5909
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.VNCL

@@ -1,10 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.VNCL
+# Shorewall version 2.6 -VNCL Macro
 #
-#	This macro handles VNC traffic from Vncservers to Vncviewers in listen mode.
+# /usr/share/shorewall/macro.VNCL
 #
-######################################################################################
+#	This macro handles VNC traffic from Vncservers to Vncviewers in listen
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#	mode.
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	5500
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Web

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Web
+# Shorewall version 2.6 - Web Macro
+#
+# /usr/share/shorewall/macro.Web
 #
 #	This macro handles WWW traffic (secure and insecure):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 PARAM	-	-	tcp	80
 PARAM	-	-	tcp	443
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.template

@@ -1,21 +1,24 @@
 #
-# Shorewall version 2.6 - Macro Template File
+# Shorewall version 2.6 - Template Macro
 #
 # /usr/share/shorewall/macro.template
 #
 # Macro files are similar to template files with the following exceptions:
 #
-#	- A macro file is not processed unless the marcro that it defines is referenced in the
+#	- A macro file is not processed unless the marcro that it defines is
-#	  /etc/shorewall/rules file or in an action definition file.
+#	  referenced in the /etc/shorewall/rules file or in an action
+#	  definition file.
 #
-#	- Macros are translated directly into one or more rules whereas actions become their own
+#	- Macros are translated directly into one or more rules whereas
-#	  chain.
+#	  actions become their own chain.
 #
-#	- All entries in a macro undergo substitution when the macro is invoked in the rules file.
+#	- All entries in a macro undergo substitution when the macro is
+#	  invoked in the rules file.
 #
 #	- Macros may not invoke other macros.
 #
-# The columns in a macro definition are the same as those in the action.template file.
+# The columns in a macro definition are the same as those in the
+# action.template file.
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -38,32 +41,40 @@
 #
 # The substitution rules are as follows:
 #
-#	ACTION column		If in the invocation of the macro, the macro name is followed by
+#	ACTION column		If in the invocation of the macro, the macro
-#				slash ("/") and a second name, the second name is substituted for
+#				name is followed by slash ("/") and a second
-#				each entry in the macro whose ACTION is PARAM
+#				name, the second name is substituted for each
+#				entry in the macro whose ACTION is PARAM
 #
-#				For example, if macro FOO is invoked as FOO/ACCEPT then when
+#				For example, if macro FOO is invoked as
-#				expanding macro.FOO, Shorewall will substitute ACCEPT in each
+#				FOO/ACCEPT then when expanding macro.FOO,
-#				entry in macro.FOO whose ACTION column contains PARAM. PARAM may
+#				Shorewall will substitute ACCEPT in each
-#				be optionally followed by a colon and a log level.
+#				entry in macro.FOO whose ACTION column
+#				contains PARAM. PARAM may be optionally
+#				followed by a colon and a log level.
 #	
-#				Any logging specified when the macro is invoked is applied to each
+#				Any logging specified when the macro is
-#				entry in the macros.
+#				invoked is applied to each entry in the macros.
 #
-#	SOURCE and DEST		If the column in the macro is empty then the value in the rules 
+#	SOURCE and DEST		If the column in the macro is empty then the
-#	columns 		file is used. If the column in the macro is non-empty then any
+#	columns			value in the rules file is used. If the column
-#				value in the rules file is appended with a ":" separator.
+#				in the macro is non-empty then any value in
+#				the rules file is appended with a ":"
+#				separator.
 #
-#				Example:   Macro File	DNAT	net	loc	tcp	21
+#
+#	Example:		###############################################
+#				#ACTION	SOURCE	DEST		PROTO	DEST
+#				#					PORT
+#		   Macro File	DNAT	net	loc		tcp	21
 #		   rules File	FwdFTP	-	192.168.1.5
 #		   Result	DNAT	net	loc:192.168.1.5	tcp	21
 #	
-#	Remaining 		Any value in the rules file REPLACES the value given in the macro
+#	Remaining		Any value in the rules file REPLACES the value
-#	columns			file.
+#	columns			given in the macro file.
 #
 #		
-#		
+###############################################################################
-####################################################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   RATE		USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-#                       	        	PORT    PORT(S)    LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/masq

@@ -1,10 +1,10 @@
 #
-# Shorewall 2.6 - Masquerade file
+# Shorewall version 2.6 - Masq file
 #
 # /etc/shorewall/masq
 #
-# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
+#	Use this file to define dynamic NAT (Masquerading) and to define
-# (SNAT).
+#	Source NAT (SNAT).
 #
 # Columns are:
 #
@@ -93,12 +93,15 @@
 #
 #				The <address-ranges> may be single addresses.
 #
-#				SAME works like SNAT with the exception that the
+#				SAME works like SNAT with the exception that
-#				same local IP address is assigned to each connection
+#				the same local IP address is assigned to each
-#				from a local address to a given remote address. If
+#				connection from a local address to a given
-#				the 'nodst:' option is included, then the same source
+#				remote address.
-#				address is used for a given internal system regardless
+#
-#				of which remote system is involved.
+#				If the 'nodst:' option is included, then the
+#				same source address is used for a given
+#				internal system regardless of which remote
+#				system is involved.
 #
 #				If you want to leave this column empty
 #				but you need to specify the next column then
@@ -125,21 +128,22 @@
 #				your kernel and iptables must include policy
 #				match support.
 #
-#				Comma-separated list of options from the following.
+#				Comma-separated list of options from the
-#				Only packets that will be encrypted via an SA that
+#				following. Only packets that will be encrypted
-#				matches these options will have their source address
+#				via an SA that matches these options will have
-#				changed.
+#				their source address changed.
 #
-#					Yes or yes -- must be the only option listed
+#					Yes or yes -- must be the only option
-#					and matches all outbound traffic that will be
+#					listed and matches all outbound
-#					encrypted.
+#					traffic that will be encrypted.
 #
-#					reqid=<number> where <number> is specified
+#					reqid=<number> where <number> is
-#					using setkey(8) using the 'unique:<number>
+#					specified using setkey(8) using the
-#					option for the SPD level.
+#					'unique:<number> option for the SPD
+#					level.
 #
-#					spi=<number> where <number> is the SPI of
+#					spi=<number> where <number> is the
-#					the SA.
+#					SPI of the SA.
 #
 #					proto=ah|esp|ipcomp
 #
@@ -151,11 +155,11 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel)
 #
-#					strict  Means that packets must match all
+#					strict	Means that packets must match
-#						rules.
+#						all rules.
 #
-#					next    Separates rules; can only be used
+#					next	Separates rules; can only be
-#						with strict..
+#						used with strict..
 #
 #	Example 1:
 #

Shorewall/modules

@@ -1,27 +1,31 @@
-##############################################################################
+#
-# Shorewall 2.6 /etc/shorewall/modules
+# Shorewall version 2.6 - Modules File
+#
+# /etc/shorewall/modules
 #
 #	This file loads the modules needed by the firewall.
 #
 #	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-# dependency order. i.e., if M2 depends on M1 then you must load M1 before
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-# you load M2.
+#	before you load M2.
 #
-# For additional information, see http://shorewall.net/Documentation.htm#modules
+# For additional information, see
-
+# http://shorewall.net/Documentation.htm#modules
-    loadmodule ip_tables
+#
-    loadmodule iptable_filter
+###############################################################################
-    loadmodule ip_conntrack
+loadmodule ip_tables
-    loadmodule ip_conntrack_ftp
+loadmodule iptable_filter
-    loadmodule ip_conntrack_tftp
+loadmodule ip_conntrack
-    loadmodule ip_conntrack_irc
+loadmodule ip_conntrack_ftp
-    loadmodule iptable_nat
+loadmodule ip_conntrack_tftp
-    loadmodule ip_nat_ftp
+loadmodule ip_conntrack_irc
-    loadmodule ip_nat_tftp
+loadmodule iptable_nat
-    loadmodule ip_nat_irc
+loadmodule ip_nat_ftp
-    loadmodule ip_set
+loadmodule ip_nat_tftp
-    loadmodule ip_set_iphash
+loadmodule ip_nat_irc
-    loadmodule ip_set_ipmap
+loadmodule ip_set
-    loadmodule ip_set_macipmap
+loadmodule ip_set_iphash
-    loadmodule ip_set_portmap
+loadmodule ip_set_ipmap
-
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/nat

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6  -- Network Address Translation Table
+# Shorewall version 2.6 - Nat File
 #
 # /etc/shorewall/nat
 #
@@ -11,7 +10,7 @@
 #	   file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
 #	   cases, Proxy ARP is a better solution that one-to-one NAT.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	EXTERNAL	External IP Address - this should NOT be the primary
 #			IP address of the interface named in the next
@@ -40,8 +39,8 @@
 #			system
 #
 # For additional information, see http://shorewall.net/NAT.htm
-##############################################################################
+#
+###############################################################################
 #EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
 #						INTERFACES
-#
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/netmap

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6  -- Network Mapping Table
+# Shorewall version 2.6	 - Netmap File
 #
 # /etc/shorewall/netmap
 #
@@ -10,7 +9,7 @@
 #	WARNING: To use this file, your kernel and iptables must have
 #		 NETMAP support included.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	TYPE		Must be DNAT or SNAT.
 #
@@ -32,7 +31,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-##############################################################################
+###############################################################################
 #TYPE	NET1			INTERFACE	NET2
-#
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/params

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /etc/shorewall/params
+# Shorewall version 2.4 - Params File
+#
+# /etc/shorewall/params
 #
 #	Assign any variables that you need here.
 #
@@ -21,5 +23,5 @@
 #
 #		net	eth0		130.252.100.255	routefilter,norfc1918
 #
-##############################################################################
+###############################################################################
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/policy

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.6 -- Policy File
+# Shorewall version 2.6 - Policy File
 #
 # /etc/shorewall/policy
 #
@@ -23,39 +23,43 @@
 #
 #			ACCEPT		- Accept the connection
 #			DROP		- Ignore the connection request
-#			REJECT		- For TCP, send RST. For all other, send
+#			REJECT		- For TCP, send RST. For all other,
-#					  "port unreachable" ICMP.
+#					  send "port unreachable" ICMP.
 #			QUEUE		- Send the request to a user-space
 #					  application using the QUEUE target.
 #			CONTINUE	- Pass the connection request past
 #					  any other rules that it might also
-#					  match (where the source or destination
+#					  match (where the source or
-#					  zone in those rules is a superset of
+#					  destination zone in those rules is
-#					  the SOURCE or DEST in this policy).
+#					  a superset of the SOURCE or DEST
+#					  in this policy).
 #			NONE		- Assume that there will never be any
 #					  packets from this SOURCE
-#					  to this DEST. Shorewall will not set up
+#					  to this DEST. Shorewall will not set
-#					  any infrastructure to handle such
+#					  up any infrastructure to handle such
-#				 	  packets and you may not have any rules
+#					  packets and you may not have any
-#					  with this SOURCE and DEST in the
+#					  rules with this SOURCE and DEST in
-#					  /etc/shorewall/rules file. If such a
+#					  the /etc/shorewall/rules file. If
-#					  packet _is_ received, the result is
+#					  such a packet _is_ received, the
-#					  undefined. NONE may not be used if the 
+#					  result is undefined. NONE may not be
-#					  SOURCE or DEST columns contain the
+#					  used if the SOURCE or DEST columns
-#					  firewall zone ($FW) or "all".
+#					  contain the firewall zone ($FW) or
+#					  "all".
 #
 #			If this column contains ACCEPT, DROP or REJECT and a
 #			corresponding common action is defined in
-#			/etc/shorewall/actions (or /usr/share/shorewall/actions.std)
+#			/etc/shorewall/actions (or
-#			then that action will be invoked before the policy named in
+#			/usr/share/shorewall/actions.std) then that action
-#			this column is inforced.
+#			will be invoked before the policy named in this column
+#			is inforced.
 #
 #			The policy determined the default treatment of new
-#			connection requests and may optionally be followed by ":" 
+#			connection requests and may optionally be followed by
-#			and an ESTABLISHED policy which determines what
+#			":" and an ESTABLISHED policy which determines what
-#			is to be done with packets that are part of an established
+#			is to be done with packets that are part of an
-#			connection. The choices are ACCEPT (the default) and QUEUE
+#			established connection. The choices are ACCEPT (the
-#			(to queue the packet to a user-space filter like Snort Inline). 
+#			default) and QUEUE (to queue the packet to a
+#			user-space filter like Snort Inline).
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
@@ -93,6 +97,7 @@
 #	all		all		REJECT		info
 #
 # See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #						LEVEL

Shorewall/providers

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6  -- Internet Service Providers
+# Shorewall version 2.6 - Providers File
 #
 # /etc/shorewall/providers
 #
@@ -15,7 +14,7 @@
 #
 #	To omit a column, enter "-".
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	NAME		The provider name.
 #
@@ -80,7 +79,9 @@
 #      ISP1  1	    1	 main	   eth0	     206.124.146.254 track,balance
 #      ISP2  2	    2	 main	   eth1	     130.252.99.254  track,balance
 #
-# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
+# For additional information, see
-##############################################################################################
+# http://shorewall.net/Shorewall_and_Routing.html
+#
+############################################################################################
 #NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY		OPTIONS		COPY
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/proxyarp

@@ -1,12 +1,11 @@
-##############################################################################
 #
-# Shorewall 2.6 -- Proxy ARP
+# Shorewall version  2.6 - Proxyarp File
 #
 # /etc/shorewall/proxyarp
 #
 #	This file is used to define Proxy ARP.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	ADDRESS		IP Address
 #
@@ -41,6 +40,7 @@
 #			155.186.235.6	eth1		eth0
 #
 # See http://shorewall.net/ProxyARP.htm for additional information.
-##############################################################################
+#
+###############################################################################
 #ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/rfc1918

@@ -1,9 +1,10 @@
 #
-# Shorewall 2.6 -- RFC1918 File
+# Shorewall version 2.6 - Rfc1918 File
 #
 # /etc/shorewall/rfc1918
 #
-# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
+#	Lists the subnetworks that are blocked by the 'norfc1918' interface
+#	option.
 #
 #	The default list includes those IP addresses listed in RFC 1918.
 #
@@ -21,23 +22,24 @@
 #			DROP	- silently drop the packet
 #			logdrop - log then drop
 #
-# By default, the RETURN target causes 'norfc1918' processing to cease for a
+#	By default, the RETURN target causes 'norfc1918' processing to cease
-# packet if the packet's source IP address matches the rule. Thus, if you have:
+#	for a packet if the packet's source IP address matches the rule. Thus,
+#	if you have:
 #
 #		SUBNETS			TARGET
 #		192.168.1.0/24		RETURN
 #
-# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you 
+#	then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
-# also have:
+#	you also have:
 #
 #		SUBNETS			TARGET
 #		10.0.0.0/8		logdrop
 #
-# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
+#	Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
-# logged and dropped since while the packet's source matches the RETURN rule,
+#	to be logged and dropped since while the packet's source matches the
-# the packet's destination matches the 'logdrop' rule.
+#	RETURN rule, the packet's destination matches the 'logdrop' rule.
 #
-################################################################################
+###############################################################################
 #SUBNETS		TARGET
 172.16.0.0/12		logdrop		# RFC 1918
 192.168.0.0/16		logdrop		# RFC 1918

Shorewall/routestopped

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall version 2.6 - Routestopped File
 #
 # /etc/shorewall/routestopped
 #
@@ -8,7 +7,7 @@
 #	firewall is stopped or when it is in the process of being
 #	[re]started.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
@@ -55,6 +54,7 @@
 # See http://shorewall.net/Documentation.htm#Routestopped and
 # http://shorewall.net/starting_and_stopping_shorewall.htm for additional
 # information.
-##############################################################################
+#
+###############################################################################
 #INTERFACE	HOST(S)			OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/rules

@@ -18,7 +18,7 @@
 # WARNING: If you masquerade or use SNAT from a local system to the internet,
 #	   you cannot use an ACCEPT rule to allow traffic from the internet to
 #	   that system. You *must* use a DNAT rule instead.
-#-------------------------------------------------------------------------------#
+#------------------------------------------------------------------------------
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
@@ -112,13 +112,13 @@
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #			defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, "all" or "none" If the ACTION is DNAT or
+#			firewall itself, "all" or "none" If the ACTION is DNAT
-#			REDIRECT, sub-zones of the specified zone may be
+#			or REDIRECT, sub-zones of the specified zone may be
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
-#			When "none" is used either in the SOURCE or DEST column,
+#			When "none" is used either in the SOURCE or DEST
-#			the rule is ignored.
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add
@@ -134,11 +134,12 @@
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
-#                       If you kernel and iptables have ipset match support then
+#			If you kernel and iptables have ipset match support
-#                       you may give the name of an ipset prefaced by "+". The
+#			then you may give the name of an ipset prefaced by "+".
-#                       ipset name may be optionally followed by a number from
+#			The ipset name may be optionally followed by a number
-#                       1 to 6 enclosed in square brackets ([]) to indicate the
+#			from 1 to 6 enclosed in square brackets ([]) to
-#                       number of levels of source bindings to be matched.
+#			indicate the number of levels of source bindings to be
+#			matched.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@@ -167,8 +168,8 @@
 #			/etc/shorewall/zones, $FW to indicate the firewall
 #			itself, "all" or "none".
 #
-#			When "none" is used either in the SOURCE or DEST column,
+#			When "none" is used either in the SOURCE or DEST
-#			the rule is ignored.
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add
@@ -194,13 +195,13 @@
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
-#                       If you kernel and iptables have ipset match support then
+#			If you kernel and iptables have ipset match support
-#                       you may give the name of an ipset prefaced by "+". The
+#			then you may give the name of an ipset prefaced by "+".
-#                       ipset name may be optionally followed by a number from
+#			The ipset name may be optionally followed by a number
-#                       1 to 6 enclosed in square brackets ([]) to indicate the
+#			from 1 to 6 enclosed in square brackets ([]) to
-#                       number of levels of destination bindings to be matched.
+#			indicate the number of levels of destination bindings
-#                       Only one of the SOURCE and DEST columns may specify an
+#			to be matched. Only one of the SOURCE and DEST columns
-#                       ipset name.
+#			may specify an ipset name.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
@@ -246,8 +247,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ORIGINAL DEST in the next column, then place
+#			specify an ORIGINAL DEST in the next column, then
-#			"-" in this column.
+#			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@@ -257,8 +258,8 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then 
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
-#			if included and different from the IP
+#			then if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
@@ -278,11 +279,11 @@
 #			contain one or more addresses (host or network)
 #			separated by commas. Address ranges are not allowed.
 #			When this column is supplied, rules are generated
-#                       that require that the original destination address matches
+#			that require that the original destination address
-#                       one of the listed addresses. This feature is most useful when
+#			matches one of the listed addresses. This feature is
-#                       you want to generate a filter rule that corresponds to a 
+#			most useful when you want to generate a filter rule
-#		        DNAT- or REDIRECT- rule. In this usage, the list of
+#			that corresponds to a DNAT- or REDIRECT- rule. In this
-#			addresses should not begin with "!".
+#			usage, the list of addresses should not begin with "!".
 #
 #			See http://shorewall.net/PortKnocking.html for an
 #			example of using an entry in this column with a
@@ -328,8 +329,8 @@
 #	#				PORT	PORT(S) DEST
 #	ACCEPT	dmz	net	  tcp	smtp
 #
-#	Example: Forward all ssh and http connection requests from the internet
+#	Example: Forward all ssh and http connection requests from the
-#		 to local system 192.168.1.3
+#		 internet to local system 192.168.1.3
 #
 #	#ACTION SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
 #	#					PORT	PORT(S) DEST
@@ -365,7 +366,7 @@
 #	#					PORT	PORT(S) DEST
 #	ACCEPT	 net:130.252.100.69,130.252.100.70 fw \
 #					tcp	22
-####################################################################################################
+#############################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
 #						PORT	PORT(S)		DEST		LIMIT		GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/shorewall.conf

@@ -1,4 +1,4 @@
-##############################################################################
+###############################################################################
 #  /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
 #  match your setup
 #
@@ -7,17 +7,19 @@
 #  This file should be placed in /etc/shorewall
 #
 #  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
-##############################################################################
+###############################################################################
 #		       S T A R T U P   E N A B L E D
-##############################################################################
+###############################################################################
+#
 # Once you have configured Shorewall, you may change the setting of
 # this variable to 'Yes'
+#
 
 STARTUP_ENABLED=No
 
-##############################################################################
+###############################################################################
 #			       L O G G I N G
-##############################################################################
+###############################################################################
 #
 # General note about log levels. Log levels are a method of describing
 # to syslog (8) the importance of a message and a number of parameters
@@ -53,7 +55,7 @@ STARTUP_ENABLED=No
 # installed by default). Ulogd is also available from
 # http://www.gnumonks.org/projects/ulogd and can be configured to log all
 # Shorewall message to their own log file
-################################################################################
+###############################################################################
 #
 # LOG FILE LOCATION
 #
@@ -66,6 +68,7 @@ STARTUP_ENABLED=No
 #	   these messages. For information about how to do that, see
 #
 #	       http://www.shorewall.net/shorewall_logging.html
+#
 
 LOGFILE=/var/log/messages
 
@@ -77,8 +80,8 @@ LOGFILE=/var/log/messages
 # template is expected to accept either two or three arguments; the first is
 # the chain name, the second (optional) is the logging rule number within that
 # chain and the third is the ACTION specifying the disposition of the packet
-# being logged. You must use the %d formatting type for the rule number; if your
+# being logged. You must use the %d formatting type for the rule number; if
-# template does not contain %d then the rule number will not be included.
+# your template does not contain %d then the rule number will not be included.
 #
 # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
 #
@@ -92,6 +95,7 @@ LOGFILE=/var/log/messages
 # 'status' and 'hits' commands. This part should not be omitted (the
 # LOGFORMAT should not begin with "%") and the leading part should be
 # sufficiently unique for /sbin/shorewall to identify Shorewall messages.
+#
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL=
 # See the comment at the top of this section for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
+#
 
 LOGNEWNOTSYN=info
 
@@ -220,7 +225,6 @@ RFC1918_LOG_LEVEL=info
 #'nosmurfs' interface option in /etc/shorewall/interfaces and in
 # /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
 # ) then dropped smurfs are not logged.
-
 #
 # See the comment at the top of this section for a description of log levels
 #
@@ -238,9 +242,9 @@ SMURF_LOG_LEVEL=info
 
 LOG_MARTIANS=No
 
-################################################################################
+###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-################################################################################
+###############################################################################
 #
 # IPTABLES
 #
@@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # The firewall script is normally interpreted by /bin/sh. If you wish to change
 # the shell used to interpret that script, specify the shell here.
+#
 
 SHOREWALL_SHELL=/bin/sh
 
@@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
+#
 
 MODULESDIR=
 
@@ -296,6 +302,7 @@ MODULESDIR=
 #
 # If not specified or specified as null ("CONFIG_PATH=""),
 # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
+#
 
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 
@@ -314,6 +321,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 # directory /var/lib/shorewall. If this option is not set or if it is
 # set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
 # assumed.
+#
 
 RESTOREFILE=
 
@@ -323,14 +331,16 @@ RESTOREFILE=
 # Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
 # Beginning with 2.5.0, those files were combined. For users who haven't
 # converted, we offer this variable that sets the name of the file for ipsec
-# information. This option must take the value "zones" or "ipsec". If the option
+# information. This option must take the value "zones" or "ipsec". If the
-# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed.
+# option is not set or is set to the empty value (IPSECFILE="") then "ipsec"
+# is assumed.
+#
 
 IPSECFILE=zones
 
-################################################################################
+###############################################################################
 #			F I R E W A L L	  O P T I O N S
-################################################################################
+###############################################################################
 
 # NAME OF THE FIREWALL ZONE
 #
@@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes
 # AUTOMATICALLY ADD SNAT IP ADDRESSES
 #
 # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
-# for each SNAT external address that you give in /etc/shorewall/masq. If you say
+# for each SNAT external address that you give in /etc/shorewall/masq. If you
-# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
+# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
-# you are sure that you need it -- most people don't!!!
+# unless you are sure that you need it -- most people don't!!!
 #
 
 ADD_SNAT_ALIASES=No
@@ -395,8 +405,9 @@ RETAIN_ALIASES=No
 #
 # ENABLE TRAFFIC SHAPING
 #
-# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
+# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall.
-# you say "No" or "no" then traffic shaping is not enabled.
+# If you say "No" or "no" then traffic shaping is not enabled.
+#
 
 TC_ENABLED=No
 
@@ -413,6 +424,7 @@ TC_ENABLED=No
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
 # If omitted, CLEAR_TC=Yes is assumed.
+#
 
 CLEAR_TC=Yes
 
@@ -425,14 +437,15 @@ CLEAR_TC=Yes
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
-# packets destined for Masqueraded/SNATed local hosts have had their destination
+# packets destined for Masqueraded/SNATed local hosts have had their
-# address rewritten so they can be marked based on their destination. When
+# destination address rewritten so they can be marked based on their
-# packets are marked in the PREROUTING chain, packets destined for
+# destination. When packets are marked in the PREROUTING chain, packets
-# Masqueraded/SNATed local hosts still have a destination address corresponding
+# destined for Masqueraded/SNATed local hosts still have a destination address
-# to the firewall's external interface.
+# corresponding to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
 #	setting this variable to Yes may cause startup problems.
+#
 
 MARK_IN_FORWARD_CHAIN=No
 
@@ -481,12 +494,14 @@ CLAMPMSS=No
 # interfaces started while Shorewall is started (anti-spoofing measure).
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
-# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
+# Regardless of the setting of ROUTE_FILTER, you can still enable route
-# on individual interfaces using the 'routefilter' option in the
+# filtering on individual interfaces using the 'routefilter' option in the
 # /etc/shorewall/interfaces file.
+#
 
 ROUTE_FILTER=No
 
+#
 # DNAT IP ADDRESS DETECTION
 #
 # Normally when Shorewall encounters the following rule:
@@ -515,6 +530,7 @@ ROUTE_FILTER=No
 # one of the interfaces associated with the source zone. Note that this
 # requires all interfaces to the source zone to be up when the firewall
 # is [re]started.
+#
 
 DETECT_DNAT_IPADDRS=No
 
@@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No
 #
 # An appropriate value for this parameter would be twice the length of time
 # that it takes your firewall system to process a "shorewall restart" command.
+#
 
 MUTEX_TIMEOUT=60
 
@@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60
 # connection from the conntrack table but the end-points haven't
 # completed shutting down the connection).  I therefore have chosen
 # NEWNOTSYN=Yes as the default value.
+#
 
 NEWNOTSYN=Yes
 
@@ -595,8 +613,8 @@ NEWNOTSYN=Yes
 # a remote firewall (or worse, they have to get someone out of bed to drive
 # across town to restart a very remote firewall).
 #
-# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
+# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this
-# when the firewall enters the 'stopped' state:
+# setting, when the firewall enters the 'stopped' state:
 #
 # All traffic that is part of or related to established connections is still
 # allowed and all OUTPUT traffic is allowed. This is in addition to traffic
@@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes
 #
 # Shorewall offers two types of blacklisting:
 #
-#	- static blacklisting through the /etc/shorewall/blacklist file together
+#	- static blacklisting through the /etc/shorewall/blacklist file
-#	  with the 'blacklist' interface option.
+#	  together with the 'blacklist' interface option.
 #	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
 #
 # The following variable determines whether the blacklist is checked for each
@@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes
 # time and that new connections are disabled during that time. By setting
 # DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
 # before loading the blacklist.
+#
 
 DELAYBLACKLISTLOAD=No
 
@@ -700,6 +719,7 @@ DYNAMIC_ZONES=No
 # able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
 # will use IP addresses to detect broadcasts rather than pkttype. If not given
 # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
+#
 
 PKTTYPE=Yes
 
@@ -728,6 +748,7 @@ PKTTYPE=Yes
 #
 # WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
 #	   'conntrack state' match.
+#
 
 RFC1918_STRICT=No
 
@@ -751,6 +772,7 @@ RFC1918_STRICT=No
 # If MACLIST_TTL is not specified or is specified as empty (e.g,
 # MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
 # be cached.
+#
 
 MACLIST_TTL=
 
@@ -765,6 +787,7 @@ MACLIST_TTL=
 #	Regardless of the setting of SAVE_IPSETS, if ipset contents were
 #	saved during a "shorewall save" then they will be restored during
 #	a subsequent "shorewall restore".
+#
 
 SAVE_IPSETS=No
 
@@ -776,12 +799,13 @@ SAVE_IPSETS=No
 # compatibility, Shorewall can map the old names into invocations of the new
 # macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
 # the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
+#
 
 MAPOLDACTIONS=No
 
-################################################################################
+###############################################################################
 #			P A C K E T   D I S P O S I T I O N
-################################################################################
+###############################################################################
 #
 # BLACKLIST DISPOSITION
 #
@@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP
 # that is not listed for that interface in /etc/shorewall/maclist. Valid
 # values are ACCEPT, DROP and REJECT. If not specified or specified as
 # empty (MACLIST_DISPOSITION="") then REJECT is assumed
+#
 
 MACLIST_DISPOSITION=REJECT
 
@@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT
 # 'tcpflags' option specified in /etc/shorewall/interfaces or in
 # /etc/shorewall/hosts. If not specified or specified as empty
 # (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
+#
 
 TCP_FLAGS_DISPOSITION=DROP
 

Shorewall/start

@@ -1,8 +1,13 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/start
+# Shorewall version 2.4 - Start File
+#
+# /etc/shorewall/start
 #
 #	Add commands below that you want to be executed after shorewall has
 #	been started or restarted.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/started

@@ -1,5 +1,7 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/started
+# Shorewall version 2.6 - Started File
+#
+# /etc/shorewall/started
 #
 #	Add commands below that you want to be executed after shorewall has
 #	been completely started or restarted. The difference between this
@@ -8,10 +10,14 @@
 #	after the 'shorewall' chain has been created (thus signaling that the
 #	firewall is completely up.
 #
-# This script should not change the firewall configuration directly but may
+#	This script should not change the firewall configuration directly but
-# do so indirectly by running /sbin/shorewall with the 'nolock' option.
+#	may do so indirectly by running /sbin/shorewall with the 'nolock'
+#	option.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information. Note though that the "ensure_and_save_command" function
 # should not be used in this script because Shorewall is already running
 # when this function is called.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/stop

@@ -1,8 +1,13 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/stop
+# Shorewall version 2.6 - Stop File
+#
+# /etc/shorewall/stop
 #
 #	Add commands below that you want to be executed at the beginning of a
 #	"shorewall stop" command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/stopped

@@ -1,8 +1,13 @@
-############################################################################
+#
-# Shorewall 2.6 -- /etc/shorewall/stopped
+# Shorewall version 2.4 - Stopped File
+#
+# /etc/shorewall/stopped
 #
 #	Add commands below that you want to be executed at the completion of a
 #	"shorewall stop" command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/tcrules

@@ -1,5 +1,5 @@
 #
-# Shorewall version 2.6 - Traffic Control Rules File
+# Shorewall version 2.6 - Tcrules File
 #
 # /etc/shorewall/tcrules
 #
@@ -29,8 +29,9 @@
 #			   where ":P" indicates that marking should occur in
 #			   the PREROUTING chain and ":F" indicates that marking
 #			   should occur in the FORWARD chain. If neither
-#			   ":P" nor ":F" follow the mark value then the chain is
+#			   ":P" nor ":F" follow the mark value then the chain
-#			   determined by the setting of MARK_IN_FORWARD_CHAIN in
+#			   is determined by the setting of
+#			   MARK_IN_FORWARD_CHAIN in
 #			   /etc/shorewall/shorewall.conf.
 #
 #			   If your kernel and iptables include CONNMARK support
@@ -47,7 +48,8 @@
 #
 #				CF: Mark the connection in the FORWARD chain
 #
-#				CP: Mark the connection in the PREROUTING chain.
+#				CP: Mark the connection in the PREROUTING
+#				    chain.
 #
 #			b) A classification of the form <major>:<minor> where
 #			   <major> and <minor> are integers. Corresponds to
@@ -65,17 +67,22 @@
 #
 #			c) RESTORE[/mask] -- restore the packet's mark from the
 #			   connection's mark using the supplied mask if any.
-#			   Your kernel and iptables must  include CONNMARK support.
+#			   Your kernel and iptables must include CONNMARK
+#			   support.
+#
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			c) SAVE[/mask] -- save the packet's mark to the
 #			   connection's mark using the supplied mask if any.
-#			   Your kernel and iptables must  include CONNMARK support.
+#			   Your kernel and iptables must include CONNMARK
+#			   support.
+#
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			d) CONTINUE -- don't process any more marking rules in
-#			   the table. As in a) above, may be followed by ":P" or
+#			   the table.
-#			   ":F".
+#
+#			   As in a) above, may be followed by ":P" or ":F".
 #
 #	SOURCE		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
@@ -111,8 +118,8 @@
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
-#			as an ipp2p option without the leading "--" (example "bit"
+#			as an ipp2p option without the leading "--" (example
-#			for bit-torrent). If no PORT is given, "ipp2p" is
+#			"bit" for bit-torrent). If no PORT is given, "ipp2p" is
 #			assumed.
 #
 #			This column is ignored if PROTOCOL = all but must be
@@ -138,11 +145,12 @@
 #
 #			The colon is optionnal when specifying only a user
 #			or a program name.
-#			Examples : john: , john , :users , john:users , +mozilla-bin
+#			Examples : john: , john , :users , john:users ,
+#				   +mozilla-bin
 #
-#	TEST		Defines a test on the existing packet or connection mark. 
+#	TEST		Defines a test on the existing packet or connection
-#			The rule will match only if the test returns true. Tests
+#			mark. The rule will match only if the test returns
-#			have the format [!]<value>[/<mask>][:C]
+#			true. Tests have the format [!]<value>[/<mask>][:C]
 #
 #			Where:
 #
@@ -150,11 +158,12 @@
 #				<value> Value of the packet or connection mark.
 #				<mask>	A mask to be applied to the mark before
 #					testing
-#				:C	Designates a connection mark. If omitted,
+#				:C	Designates a connection mark. If
-#					the packet mark's value is tested.
+#					omitted, the packet mark's value is
+#					tested.
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
-##############################################################################
+###############################################################################
 #MARK	SOURCE		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
 #							PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/tos

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 -- /etc/shorewall/tos
+# Shorewall version 2.6 - Tos File
+#
+#  /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
@@ -41,6 +43,7 @@
 #				Minimize-Cost (2)
 #				Normal-Service (0)
 #
-##############################################################################
+###############################################################################
-#SOURCE DEST		PROTOCOL	SOURCE PORTS	DEST PORTS	TOS
+#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS
+#						PORTS	PORTS
 #LAST LINE -- Add your entries above -- DO NOT REMOVE

Shorewall/tunnels

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.4 - /etc/shorewall/tunnels
+# Shorewall version 2.6 - Tunnels File
+#
+# /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
@@ -9,13 +11,13 @@
 #
 #	The columns are:
 #
-#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ipip"
+#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat",
-#			"gre", "6to4", "pptpclient", "pptpserver", "openvpn" or 
+#			"ipip", "gre", "6to4", "pptpclient", "pptpserver",
-#			"generic"
+#			"openvpn" or "generic"
 #
-#			If the type is "ipsec" or "ipsecnat", it may be followed
+#			If the type is "ipsec" or "ipsecnat", it may be
-#			by ":noah" to indicate that the Authentication Header
+#			followed by ":noah" to indicate that the Authentication
-#			protocol (51) is not used by the tunnel.
+#			Header protocol (51) is not used by the tunnel.
 #
 #			If type is "openvpn", it may optionally be followed
 #			by ":" and the port number used by the tunnel. if no
@@ -102,16 +104,17 @@
 #
 #		Example 8:
 #
-#			You have a tunnel that is not one of the supported types.
+#			You have a tunnel that is not one of the supported
-#			Your tunnel uses UDP port 4444. The other end of the
+#			types. Your tunnel uses UDP port 4444. The other end
-#			tunnel is 4.3.99.124.
+#			of the tunnel is 4.3.99.124.
 #
 #			generic:udp:4444	net	4.3.99.124
 #
 #
-# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
+# See http://shorewall.net/Documentation.htm#Tunnels for additional
+# information.
 #
-# TYPE			ZONE	GATEWAY		GATEWAY
+###############################################################################
+#TYPE			ZONE	GATEWAY		GATEWAY
 #						ZONE
-#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/zones

@@ -1,7 +1,11 @@
 #
-# Shorewall 2.6 /etc/shorewall/zones
+# Shorewall version 2.6 - Zones File
 #
-# This file determines your network zones. Columns are:
+# /etc/shorewall/zones
+#
+#	This file determines your network zones.
+#
+# Columns are:
 #
 #	ZONE	Short name of the zone (5 Characters or less in length).
 #		The names "all" and "none" are reserved and may not be
@@ -55,16 +59,18 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#--------------------------------------------------------------------------------
+#------------------------------------------------------------------------------
 # Example zones:
 #
-#    You have a three interface firewall with internet, local and DMZ interfaces.
+#	You have a three interface firewall with internet, local and DMZ
+#	interfaces.
 #
 #	#ZONE	IPSEC	OPTIONS		IN			OUT	
 #	net	
 #	loc
 #	dmz
 #
+###############################################################################
 #ZONE	IPSEC	OPTIONS			IN			OUT
 #	ONLY				OPTIONS			OPTIONS
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE