Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1567 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall-docs2/IPSEC-2.6.xml

@@ -15,7 +15,7 @@
       </author>
     </authorgroup>
 
-    <pubdate>2004-08-18</pubdate>
+    <pubdate>2004-08-19</pubdate>
 
     <copyright>
       <year>2004</year>
@@ -37,7 +37,7 @@
   <warning>
     <para>To use this support, your kernel and iptables must include the
     Netfilter+ipsec patches and policy match support and you must be running
-    Shorewall 2.1.4 or later.</para>
+    Shorewall 2.1.5 or later.</para>
   </warning>
 
   <warning>
@@ -97,7 +97,60 @@
     that is going to be encrypted and incoming traffic that has been decrypted
     must be matched against policies in the SPD.</para>
 
-    <para></para>
+    <para>Shorewall provides support for policy matching in two ways:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>In <filename>/etc/shorewall/masq</filename>, traffic that will
+        later be encrypted is exempted from MASQUERADE/SNAT using existing
+        entries. If you want to MASQUERADE/SNAT outgoing traffic that will
+        later be encrypted, you must include an entry in the new IPSEC column
+        in that file.</para>
+      </listitem>
+
+      <listitem>
+        <para>A <filename>new /etc/shorewall/ipsec</filename> file allows you
+        to associate zones with traffic that will be encrypted or that has
+        been decrypted.</para>
+      </listitem>
+    </orderedlist>
+
+    <para>In summary, Shorewall 2.1.5 and later versions provide the
+    facilities to replace the use of ipsec pseudo-interfaces in zone and
+    MASQUERADE/SNAT definition.</para>
+
+    <para>There are two cases to consider:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>Encrypted communication is used to/from all hosts in a
+        zone.</para>
+
+        <para>The value <emphasis role="bold">Yes</emphasis> is placed in the
+        IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
+        for the zone. </para>
+      </listitem>
+
+      <listitem>
+        <para>Encrypted communication is used to/from only part of the hosts
+        in a zone.</para>
+
+        <para>The value <emphasis role="bold">No</emphasis> is placed in the
+        IPSEC column of the <filename>/etc/shorewall/ipsec</filename> entry
+        for the zone and the new <emphasis role="bold">ipsec</emphasis> option
+        is specified in <filename>/etc/shorewall/hosts</filename> for those
+        hosts requiring secure communication.</para>
+      </listitem>
+    </orderedlist>
+
+    <note>
+      <para>For simple zones such as are shown in the following examples, the
+      two techniques are equivalent and are used interchangably.</para>
+    </note>
+
+    <para>Finally, the OPTIONS, IN OPTIONS and OUT OPTIONS columns in
+    /etc/shorewall/ipsec can be used to match the zone to a particular (set
+    of) SA(s) used to encrypt and decrypt traffic to/from the zone.</para>
   </section>
 
   <section>
@@ -186,6 +239,16 @@ vpn               eth0:192.168.1.0/24    <emphasis role="bold">ipsec</emphasis>
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
     </blockquote>
 
+    <para>Assuming that you want to give each local network free access to the
+    remote network and vice versa, you would need the following
+    <filename>/etc/shorewall/policy</filename> entries on each system:</para>
+
+    <blockquote>
+      <programlisting>#SOURCE          DESTINATION            POLICY          LEVEL       BURST:LIMIT
+loc              vpn                    ACCEPT
+vpn              loc                    ACCEPT</programlisting>
+    </blockquote>
+
     <para>Once you have these entries in place, restart Shorewall (type
     shorewall restart); you are now ready to configure IPSEC.</para>
   </section>
@@ -212,6 +275,7 @@ vpn               eth0:192.168.1.0/24    <emphasis role="bold">ipsec</emphasis>
         <programlisting>#ZONE           DISPLAY         COMMENTS
 net             Internet        The big bad internet
 vpn             VPN             Road Warriors
+loc             local           Local Network (192.168.1.0/24)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
       </blockquote>
 
@@ -313,8 +377,8 @@ spdadd 192.168.20.40/32 192.168.20.10/32 any -P in  ipsec esp/transport/192.168.
       <para><filename>/etc/shorewall/zones</filename>:</para>
 
       <programlisting>#ZONE   DISPLAY         COMMENTS
-loc     Local           Local Network
 net     Net             Internet
+loc     Local           Local Network
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
 
       <para><filename>/etc/shorewall/interfaces</filename>:</para>
@@ -323,12 +387,30 @@ net     Net             Internet
 net     eth0            detect          routefilter,dhcp,tcpflags
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
 
+      <para>/etc/shorewall/tunnels:</para>
+
+      <programlisting>#TYPE          ZONE             GATEWAY         GATEWAY
+#                                               ZONE
+ipsec:noah     net              192.168.20.0/24 loc</programlisting>
+
+      <para>/etc/shorewall/ipsec:</para>
+
+      <programlisting>#ZONE          IPSEC            OPTIONS             IN           OUT
+#              ONLY                                 OPTIONS      OPTIONS
+loc            Yes              mode=transport</programlisting>
+
       <para><filename>/etc/shorewall/hosts</filename>:</para>
 
       <programlisting>#ZONE           HOST(S)                         OPTIONS
-loc             eth0:192.168.20.0/24             ipsec
+loc             eth0:192.168.20.0/24  
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE</programlisting>
 
+      <para>It is worth noting that although <emphasis>loc</emphasis> is a
+      sub-zone of <emphasis>net</emphasis>, because <emphasis>loc</emphasis>
+      is an IPSEC-only zone it does not need to be defined before
+      <emphasis>net</emphasis> in
+      <emphasis>/etc/shorewall/zones</emphasis>.</para>
+
       <para><filename>/etc/shorewall/policy</filename>:</para>
 
       <programlisting>#SOURCE         DEST            POLICY          LOG LEVEL       LIMIT:BURST

Shorewall-docs2/starting_and_stopping_shorewall.xml

@@ -29,7 +29,8 @@
       1.2 or any later version published by the Free Software Foundation; with
       no Invariant Sections, with no Front-Cover, and with no Back-Cover
       Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
     </legalnotice>
   </articleinfo>
 
@@ -41,8 +42,8 @@
 
     <itemizedlist>
       <listitem>
-        <para><filename>/sbin/shorewall</filename> ̶ The program that you use
+        <para><filename>/sbin/shorewall</filename> — The program that you use
-        to interact with Shorewall. Normally the root user&#39;s PATH includes
+        to interact with Shorewall. Normally the root user's PATH includes
         <filename>/sbin</filename> and the program can be run from a shell
         prompt by simply typing <command>shorewall</command> followed by a
         command. To see a list of supported commands, use the
@@ -59,16 +60,17 @@
       <listitem>
         <para><filename>/etc/shorewall</filename> — The default directory
         where Shorewall looks for configuration files. See the section
-        entitled <link linkend="AltConfig">Alternate Configuration Directories</link>
+        entitled <link linkend="AltConfig">Alternate Configuration
-        for information about how you can direct Shorewall to look in other
+        Directories</link> for information about how you can direct Shorewall
-        directories.</para>
+        to look in other directories.</para>
       </listitem>
 
       <listitem>
-        <para><filename>/etc/init.d/shorewall</filename> (<filename>/etc/rc.d/firewall.rc</filename>
+        <para><filename>/etc/init.d/shorewall</filename>
-        on Slackware) — The script run by <command>init</command> (the program
+        (<filename>/etc/rc.d/firewall.rc</filename> on Slackware) — The script
-        responsible for startup and shutdown of your system) to start
+        run by <command>init</command> (the program responsible for startup
-        Shorewall at boot time and to stop Shorewall at shutdown.</para>
+        and shutdown of your system) to start Shorewall at boot time and to
+        stop Shorewall at shutdown.</para>
       </listitem>
 
       <listitem>
@@ -79,8 +81,9 @@
 
       <listitem>
         <para><filename>/usr/share/shorewall/functions</filename> — A library
-        of Bourne Shell functions used by both<filename> /sbin/shorewall</filename>
+        of Bourne Shell functions used by both<filename>
-        and <filename>/usr/share/shorewall/firewall</filename>.</para>
+        /sbin/shorewall</filename> and
+        <filename>/usr/share/shorewall/firewall</filename>.</para>
       </listitem>
     </itemizedlist>
   </section>
@@ -88,21 +91,23 @@
   <section>
     <title>Starting, Stopping and Clearing</title>
 
-    <para>As explained in the <ulink url="Introduction.html">Introduction</ulink>,
+    <para>As explained in the <ulink
-    Shorewall is not something that runs all of the time in your system.
+    url="Introduction.html">Introduction</ulink>, Shorewall is not something
-    Nevertheless, for integrating Shorewall into your initialization scripts
+    that runs all of the time in your system. Nevertheless, for integrating
-    it is useful to speak of <firstterm>starting</firstterm> Shorewall and
+    Shorewall into your initialization scripts it is useful to speak of
+    <firstterm>starting</firstterm> Shorewall and
     <emphasis>stopping</emphasis> Shorewall.</para>
 
     <itemizedlist>
       <listitem>
-        <para>Shorewall is started using the <command>shorewall start</command>
+        <para>Shorewall is started using the <command>shorewall
-        command. Once the start command completes successfully, Netfilter is
+        start</command> command. Once the start command completes
-        configured as described in your Shorewall configuration files. If
+        successfully, Netfilter is configured as described in your Shorewall
-        there is an error during <command>shorewall start</command>, then if
+        configuration files. If there is an error during <command>shorewall
-        you have a <firstterm>saved configuration</firstterm> then that
+        start</command>, then if you have a <firstterm>saved
-        configuration is restored. Otherwise, an implicit <command>shorewall
+        configuration</firstterm> then that configuration is restored.
-        stop</command> is executed.</para>
+        Otherwise, an implicit <command>shorewall stop</command> is
+        executed.</para>
       </listitem>
 
       <listitem>
@@ -113,7 +118,8 @@
           <para>The <command>shorewall stop</command> command does not remove
           all netfilter rules and open your firewall for all traffic to pass.
           It rather places your firewall in a safe state defined by the
-          contents of your <ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>
+          contents of your <ulink
+          url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>
           file and the setting of ADMINISABSENTMINDED in <ulink
           url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
         </important>
@@ -139,16 +145,17 @@
     <title>Tracing Command Execution</title>
 
     <para>If you include the word <emphasis role="bold">trace</emphasis> as
-    the first parameter to <filename>an /sbin/shorewall</filename> command
+    the first parameter to an <filename>/sbin/shorewall</filename> command
-    that transfers control to <filename>/usr/share/shorewall/firewall</filename>,
+    that transfers control to
-    execution of the latter program will be traced to STDERR.</para>
+    <filename>/usr/share/shorewall/firewall</filename>, execution of the
+    latter program will be traced to STDERR.</para>
 
     <example>
       <title>Tracing <command>shorewall start</command></title>
 
       <para>To trace the execution of <command>shorewall start</command> and
       write the trace to the file <filename>/tmp/trace</filename>, you would
-      enter:<programlisting><command>shorewall trace start 2&#62; /tmp/trace</command></programlisting></para>
+      enter:<programlisting><command>shorewall trace start 2&gt; /tmp/trace</command></programlisting></para>
     </example>
   </section>
 
@@ -159,26 +166,38 @@
     that Shorewall will start automatically at boot time. If you are using the
     <command>install.sh </command>script from the .tgz and it cannot determine
     how to configure automatic startup, a message to that effect will be
-    displayed. You will need to consult your distribution&#39;s documentation
+    displayed. You will need to consult your distribution's documentation to
-    to see how to integrate the <filename>/etc/init.d/shorewall</filename>
+    see how to integrate the <filename>/etc/init.d/shorewall</filename> script
-    script into the distribution&#39;s startup mechanism.<caution><itemizedlist><listitem><para>Shorewall
+    into the distribution's startup mechanism.<caution>
-    startup is disabled by default. Once you have configured your firewall,
+        <itemizedlist>
-    you can enable startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.
+          <listitem>
-    Note: Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
+            <para>Shorewall startup is disabled by default. Once you have
-    and set <quote>startup=1</quote>.</para></listitem><listitem><para>If you
+            configured your firewall, you can enable startup by removing the
-    use dialup or some flavor of PPP where your IP address can change
+            file <filename>/etc/shorewall/startup_disabled</filename>. Note:
-    arbitrarily, you may want to start the firewall in your
+            Users of the .deb package must edit
-    <command>/etc/ppp/ip-up.local</command> script. I recommend just placing
+            <filename>/etc/default/shorewall</filename> and set
-    <quote><command>/sbin/shorewall restart</command></quote> in that script.</para></listitem></itemizedlist></caution></para>
+            <quote>startup=1</quote>.</para>
+          </listitem>
+
+          <listitem>
+            <para>If you use dialup or some flavor of PPP where your IP
+            address can change arbitrarily, you may want to start the firewall
+            in your <command>/etc/ppp/ip-up.local</command> script. I
+            recommend just placing <quote><command>/sbin/shorewall
+            restart</command></quote> in that script.</para>
+          </listitem>
+        </itemizedlist>
+      </caution></para>
   </section>
 
   <section>
-    <title>Saving a Working Configuration for Error Recovery and Fast Startup</title>
+    <title>Saving a Working Configuration for Error Recovery and Fast
+    Startup</title>
 
     <para>Once you have Shorewall working the way that you want it to, you can
     use <command>shorewall save</command> to <firstterm>save</firstterm> the
-    commands necessary to recreate that configuration in a
+    commands necessary to recreate that configuration in a <firstterm>restore
-    <firstterm>restore script</firstterm>.</para>
+    script</firstterm>.</para>
 
     <para>In its simplest form, the save command is just:</para>
 
@@ -191,9 +210,9 @@
     different file name may also be specified in the <command>save</command>
     command:</para>
 
-    <programlisting><command>shorewall save &#60;filename&#62;</command></programlisting>
+    <programlisting><command>shorewall save &lt;filename&gt;</command></programlisting>
 
-    <para>Where &#60;<emphasis>filename</emphasis>&#62; is a simple file name
+    <para>Where &lt;<emphasis>filename</emphasis>&gt; is a simple file name
     (no slashes).</para>
 
     <para>Once created, the default restore script serves several useful
@@ -211,8 +230,9 @@
         <command>shorewall -f start</command>) causes Shorewall to look for
         the default restore script and if it exists, the script is run. This
         is much faster than starting Shorewall using the normal mechanism of
-        reading the configuration files and running <command>iptables</command>
+        reading the configuration files and running
-        dozens or even hundreds of times. <filename>/etc/init.d/shorewall</filename>
+        <command>iptables</command> dozens or even hundreds of times.
+        <filename>/etc/init.d/shorewall</filename>
         (<filename>/etc/rc.d/firewall.rc</filename>) uses the -f option when
         it is processing a request to start Shorewall.</para>
       </listitem>
@@ -221,11 +241,12 @@
         <para>The <command>shorewall restore</command> command can be used at
         any time to quickly configure the firewall.</para>
 
-        <programlisting><command>shorewall restore [ &#60;filename&#62; ]</command></programlisting>
+        <programlisting><command>shorewall restore [ &lt;filename&gt; ]</command></programlisting>
 
-        <para>If no &#60;<emphasis>filename</emphasis>&#62; is given, the
+        <para>If no &lt;<emphasis>filename</emphasis>&gt; is given, the
         default restore script is used. Otherwise, the script
-        <filename>/var/lib/shorewall/&#60;filename&#62;</filename> is used.</para>
+        <filename>/var/lib/shorewall/&lt;filename&gt;</filename> is
+        used.</para>
       </listitem>
     </itemizedlist>
 
@@ -233,15 +254,16 @@
     different Shorewall firewall configurations and switch between them
     quickly using the <command>restore</command> command.</para>
 
-    <para>Restore scripts may be removed using the <command>shorewall forget</command>
+    <para>Restore scripts may be removed using the <command>shorewall
-    command:</para>
+    forget</command> command:</para>
 
-    <programlisting><command>shorewall forget [ &#60;filename&#62; ]</command></programlisting>
+    <programlisting><command>shorewall forget [ &lt;filename&gt; ]</command></programlisting>
 
-    <para>If no &#60;<emphasis>filename</emphasis>&#62; is given, the default
+    <para>If no &lt;<emphasis>filename</emphasis>&gt; is given, the default
-    restore script is removed. Otherwise, <filename>/var/lib/shorewall/&#60;filename&#62;</filename>
+    restore script is removed. Otherwise,
-    is removed (of course, you can also use the Linux <command>rm</command>
+    <filename>/var/lib/shorewall/&lt;filename&gt;</filename> is removed (of
-    command from the shell prompt to remove these files).</para>
+    course, you can also use the Linux <command>rm</command> command from the
+    shell prompt to remove these files).</para>
   </section>
 
   <section>
@@ -249,27 +271,29 @@
 
     <para>As explained above, Shorewall normally looks for configuration files
     in the directory <filename class="directory">/etc/shorewall</filename>.
-    The <command>shorewall start</command>, <command>shorewall restart</command>,
+    The <command>shorewall start</command>, <command>shorewall
-    <command>shorewall check</command>, and <command>shorewall try </command>commands
+    restart</command>, <command>shorewall check</command>, and
-    allow you to specify a different directory for Shorewall to check before
+    <command>shorewall try </command>commands allow you to specify a different
-    looking in <filename class="directory">/etc/shorewall</filename>:</para>
+    directory for Shorewall to check before looking in <filename
+    class="directory">/etc/shorewall</filename>:</para>
 
-    <programlisting>     <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
+    <programlisting>     <command>shorewall [ -c &lt;configuration-directory&gt; ] {start|restart|check}</command>
-     <command>shorewall try &#60;configuration-directory&#62; [ &#60;timeout&#62; ]</command></programlisting>
+     <command>shorewall try &lt;configuration-directory&gt; [ &lt;timeout&gt; ]</command></programlisting>
 
-    <para>If a <emphasis>&#60;configuration-directory</emphasis>&#62; is
+    <para>If a <emphasis>&lt;configuration-directory</emphasis>&gt; is
     specified, each time that Shorewall is going to use a file in <filename
-    class="directory">/etc/shorewall</filename> it will first look in the<emphasis>
+    class="directory">/etc/shorewall</filename> it will first look in
-    &#60;configuration-directory&#62;</emphasis> . If the file is present in
+    the<emphasis> &lt;configuration-directory&gt;</emphasis> . If the file is
-    the <emphasis>&#60;configuration-directory&#62;,</emphasis> that file will
+    present in the <emphasis>&lt;configuration-directory&gt;,</emphasis> that
-    be used; otherwise, the file in <filename class="directory">/etc/shorewall</filename>
+    file will be used; otherwise, the file in <filename
-    will be used. When changing the configuration of a production firewall, I
+    class="directory">/etc/shorewall</filename> will be used. When changing
-    recommend the following:</para>
+    the configuration of a production firewall, I recommend the
+    following:</para>
 
     <itemizedlist>
       <listitem>
-        <para>If you haven&#39;t saved the current working configuration, do
+        <para>If you haven't saved the current working configuration, do so
-        so using <command>shorewall save</command>.</para>
+        using <command>shorewall save</command>.</para>
       </listitem>
 
       <listitem>
@@ -281,8 +305,8 @@
       </listitem>
 
       <listitem>
-        <para>&#60;copy any files that you need to change from /etc/shorewall
+        <para>&lt;copy any files that you need to change from /etc/shorewall
-        to . and change them here&#62;</para>
+        to . and change them here&gt;</para>
       </listitem>
 
       <listitem>
@@ -290,7 +314,7 @@
       </listitem>
 
       <listitem>
-        <para>&#60;correct any errors found by check and check again&#62;</para>
+        <para>&lt;correct any errors found by check and check again&gt;</para>
       </listitem>
 
       <listitem>
@@ -298,10 +322,10 @@
       </listitem>
     </itemizedlist>
 
-    <para>If the configuration starts but doesn&#39;t work, just
+    <para>If the configuration starts but doesn't work, just <quote>shorewall
-    <quote>shorewall restart</quote> to restore the old configuration. If the
+    restart</quote> to restore the old configuration. If the new configuration
-    new configuration fails to start, the <quote>try</quote> command will
+    fails to start, the <quote>try</quote> command will automatically restore
-    automatically restore your configuration.</para>
+    your configuration.</para>
 
     <para>When the new configuration works then just:</para>
 
@@ -332,13 +356,14 @@
         <term>add</term>
 
         <listitem>
-          <para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
+          <para><command>shorewall add &lt;interface&gt;[:&lt;host&gt;]
-          &#60;zone&#62;</command></para>
+          &lt;zone&gt;</command></para>
 
           <para>Adds a host or subnet to a dynamic zone usually used with
-          VPN&#39;s.</para>
+          VPN's.</para>
 
-          <para>Example: <command>shorewall add ipsec0:192.0.2.24 vpn1</command></para>
+          <para>Example: <command>shorewall add ipsec0:192.0.2.24
+          vpn1</command></para>
 
           <para>adds the address 192.0.2.24 from interface ipsec0 to the zone
           vpn1.</para>
@@ -349,7 +374,7 @@
         <term>allow</term>
 
         <listitem>
-          <para><command>shorewall allow &#60;address&#62; ...</command></para>
+          <para><command>shorewall allow &lt;address&gt; ...</command></para>
 
           <para>Re-enables receipt of packets from hosts previously
           blacklisted by a drop or reject command.</para>
@@ -363,7 +388,7 @@
         <term>check</term>
 
         <listitem>
-          <para><command>shorewall [ -c &#60;configuration-directory&#62; ]
+          <para><command>shorewall [ -c &lt;configuration-directory&gt; ]
           check</command></para>
 
           <para>Performs a cursory validation of the zones, interfaces, hosts,
@@ -391,15 +416,16 @@
         <term>delete</term>
 
         <listitem>
-          <para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
+          <para><command>shorewall delete &lt;interface&gt;[:&lt;host&gt;]
-          &#60;zone&#62;</command></para>
+          &lt;zone&gt;</command></para>
 
           <para>Deletes the specified interface (and host if included) from
           the specified zone.</para>
 
           <para>Example:</para>
 
-          <para><command>shorewall delete ipsec0:192.0.2.24 vpn1</command></para>
+          <para><command>shorewall delete ipsec0:192.0.2.24
+          vpn1</command></para>
 
           <para>deletes the address 192.0.2.24 from interface ipsec0 from zone
           vpn1</para>
@@ -410,10 +436,10 @@
         <term>drop</term>
 
         <listitem>
-          <para><command>shorewall drop &#60;address&#62; ...</command></para>
+          <para><command>shorewall drop &lt;address&gt; ...</command></para>
 
-          <para>Causes packets from the specified &#60;<emphasis>address</emphasis>&#62;
+          <para>Causes packets from the specified
-          to be ignored</para>
+          &lt;<emphasis>address</emphasis>&gt; to be ignored</para>
         </listitem>
       </varlistentry>
 
@@ -421,11 +447,14 @@
         <term>forget</term>
 
         <listitem>
-          <para><command>shorewall forget [ &#60;filename&#62; ]</command></para>
+          <para><command>shorewall forget [ &lt;filename&gt;
+          ]</command></para>
 
-          <para>Deletes<filename> /var/lib/shorewall/&#60;filename&#62;</filename>.
+          <para>Deletes<filename>
-          If no &#60;<emphasis>filename</emphasis>&#62; is given then the file
+          /var/lib/shorewall/&lt;filename&gt;</filename>. If no
-          specified by RESTOREFILE in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
+          &lt;<emphasis>filename</emphasis>&gt; is given then the file
+          specified by RESTOREFILE in <ulink
+          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
           is removed.</para>
         </listitem>
       </varlistentry>
@@ -434,9 +463,11 @@
         <term>help</term>
 
         <listitem>
-          <para><command>shorewall help [&#60;command&#62; | host | address ]</command></para>
+          <para><command>shorewall help [&lt;command&gt; | host | address
+          ]</command></para>
 
-          <para>Display helpful information about the shorewall commands.</para>
+          <para>Display helpful information about the shorewall
+          commands.</para>
         </listitem>
       </varlistentry>
 
@@ -448,7 +479,8 @@
 
           <para>Produces several reports about the Shorewall packet log
           messages in the current log file specified by the LOGFILE option in
-          <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
+          <ulink
+          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -456,11 +488,12 @@
         <term>ipcalc</term>
 
         <listitem>
-          <para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
+          <para><command>shorewall ipcalc [ &lt;address&gt; &lt;mask&gt; |
-          &#60;address&#62;/&#60;vlsm&#62; ]</command></para>
+          &lt;address&gt;/&lt;vlsm&gt; ]</command></para>
 
           <para>Ipcalc displays the network address, broadcast address,
-          network in CIDR notation and netmask corresponding to the input[s].</para>
+          network in CIDR notation and netmask corresponding to the
+          input[s].</para>
 
           <para>Example:</para>
 
@@ -473,7 +506,7 @@
 
         <listitem>
           <para><command>shorewall iprange
-          &#60;address1&#62;-&#60;address2&#62;</command></para>
+          &lt;address1&gt;-&lt;address2&gt;</command></para>
 
           <para>Iprange decomposes the specified range of IP addresses into
           the equivalent list of network/host addresses.</para>
@@ -484,7 +517,8 @@
         <term>logwatch</term>
 
         <listitem>
-          <para><command>shorewall logwatch [&#60;refresh interval&#62;]</command></para>
+          <para><command>shorewall logwatch [&lt;refresh
+          interval&gt;]</command></para>
 
           <para>Monitors the log file specified by theLOGFILE option in <ulink
           url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
@@ -497,7 +531,8 @@
         <term>monitor</term>
 
         <listitem>
-          <para><command>shorewall [-x] monitor [&#60;refresh_interval&#62;]</command></para>
+          <para><command>shorewall [-x] monitor
+          [&lt;refresh_interval&gt;]</command></para>
 
           <para>Continuously display the firewall status, last 20 log entries
           and nat. When the log entry display changes, an audible alarm is
@@ -527,10 +562,10 @@
         <term>reject</term>
 
         <listitem>
-          <para><command>shorewall reject &#60;address&#62; ...</command></para>
+          <para><command>shorewall reject &lt;address&gt; ...</command></para>
 
-          <para>Causes packets from the specified &#60;<emphasis>address</emphasis>&#62;s
+          <para>Causes packets from the specified
-          to be rejected</para>
+          &lt;<emphasis>address</emphasis>&gt;s to be rejected</para>
         </listitem>
       </varlistentry>
 
@@ -540,7 +575,8 @@
         <listitem>
           <para><command>shorewall reset</command></para>
 
-          <para>All the packet and byte counters in the firewall are reset.</para>
+          <para>All the packet and byte counters in the firewall are
+          reset.</para>
         </listitem>
       </varlistentry>
 
@@ -548,8 +584,8 @@
         <term>restart</term>
 
         <listitem>
-          <para><command>shorewall [ -q ] [ -c
+          <para><command>shorewall [ -q ] [ -c &lt;configuration-directory&gt;
-          &#60;configuration-directory&#62; ] restart</command></para>
+          ] restart</command></para>
 
           <para>Restart is similar to <command>shorewall stop</command>
           followed by <command>shorewall start</command>. Existing connections
@@ -562,15 +598,19 @@
         <term>restore</term>
 
         <listitem>
-          <para><command>shorewall [ -q ] restore [ &#60;filename&#62; ]</command></para>
+          <para><command>shorewall [ -q ] restore [ &lt;filename&gt;
+          ]</command></para>
 
           <para>Restore Shorewall to a state saved using the
           <command>shorewall save</command> command Existing connections are
-          maintained. The &#60;<emphasis>filename</emphasis>&#62; names a
+          maintained. The &lt;<emphasis>filename</emphasis>&gt; names a
-          restore file in <filename class="directory">/var/lib/shorewall</filename>
+          restore file in <filename
-          created using <command>shorewall save</command>; if no &#60;<emphasis>filename</emphasis>&#62;
+          class="directory">/var/lib/shorewall</filename> created using
-          is given then Shorewall will be restored from the file specified by
+          <command>shorewall save</command>; if no
-          the RESTOREFILE option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
+          &lt;<emphasis>filename</emphasis>&gt; is given then Shorewall will
+          be restored from the file specified by the RESTOREFILE option in
+          <ulink
+          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -578,14 +618,16 @@
         <term>save</term>
 
         <listitem>
-          <para><command>shorewall save [ &#60;filename&#62; ]</command></para>
+          <para><command>shorewall save [ &lt;filename&gt; ]</command></para>
 
           <para>The dynamic data is stored in /var/lib/shorewall/save. The
-          state of the firewall is stored in <filename>/var/lib/shorewall/&#60;filename&#62;</filename>
+          state of the firewall is stored in
-          for use by the <command>shorewall restore</command> and
+          <filename>/var/lib/shorewall/&lt;filename&gt;</filename> for use by
-          <command>shorewall -f start</command> commands. If &#60;<emphasis>filename</emphasis>&#62;
+          the <command>shorewall restore</command> and <command>shorewall -f
+          start</command> commands. If &lt;<emphasis>filename</emphasis>&gt;
           is not given then the state is saved in the file specified by the
-          RESTOREFILE option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
+          RESTOREFILE option in <ulink
+          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
         </listitem>
       </varlistentry>
 
@@ -593,12 +635,12 @@
         <term>show</term>
 
         <listitem>
-          <para><command>shorewall [ -x ] show [ &#60;chain&#62; [
+          <para><command>shorewall [ -x ] show [ &lt;chain&gt; [ &lt;chain&gt;
-          &#60;chain&#62; ...] |classifiers|connections|log|nat|tc|tos]</command></para>
+          ...] |classifiers|connections|log|nat|tc|tos]</command></para>
 
-          <para><command>shorewall [ -x ] show &#60;chain&#62; [
+          <para><command>shorewall [ -x ] show &lt;chain&gt; [ &lt;chain&gt;
-          &#60;chain&#62; ... ] </command> - produce a verbose report about
+          ... ] </command> - produce a verbose report about the Netfilter
-          the Netfilter chain(s). (<command>iptables -L chain -n -v</command>)</para>
+          chain(s). (<command>iptables -L chain -n -v</command>)</para>
 
           <para><command>shorewall [ -x ] show nat</command> - produce a
           verbose report about the nat table. (<command>iptables -t nat -L -n
@@ -630,14 +672,15 @@
 
         <listitem>
           <para><command>shorewall [ -q ] [ -f ] [ -c
-          &#60;configuration-directory&#62; ] start</command></para>
+          &lt;configuration-directory&gt; ] start</command></para>
 
           <para>Start shorewall. Existing connections through shorewall
           managed interfaces are untouched. New connections will be allowed
           only if they are allowed by the firewall rules or policies. If -q is
           specified, less detail is displayed making it easier to spot
           warnings If -f is specified, the saved configuration specified by
-          the RESTOREFILE option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
+          the RESTOREFILE option in <ulink
+          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
           will be restored if that saved configuration exists</para>
         </listitem>
       </varlistentry>
@@ -649,12 +692,14 @@
           <para><command>shorewall stop</command></para>
 
           <para>Stops the firewall. All existing connections, except those
-          listed in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>
+          listed in <filename><ulink
+          url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>
           or permitted by the ADMINISABSENTMINDED option in <ulink
           url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>,
           are taken down. The only new traffic permitted through the firewall
-          is from systems listed in <filename>/etc/shorewall/routestopped</filename>
+          is from systems listed in
-          or by ADMINISABSENTMINDED.</para>
+          <filename>/etc/shorewall/routestopped</filename> or by
+          ADMINISABSENTMINDED.</para>
         </listitem>
       </varlistentry>
 
@@ -675,8 +720,8 @@
         <term>try</term>
 
         <listitem>
-          <para><command>shorewall try &#60;configuration-directory&#62; [
+          <para><command>shorewall try &lt;configuration-directory&gt; [
-          &#60;timeout&#62; ]</command></para>
+          &lt;timeout&gt; ]</command></para>
 
           <para>Restart shorewall using the specified configuration. If an
           error occurs during the restart, then another shorewall restart is
@@ -686,7 +731,8 @@
 
           <para>When restarting using the default configuration, if the
           default restore script (as specified by the RESTOREFILE setting in
-          <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>)
+          <ulink
+          url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>)
           exists. then that script is used.</para>
         </listitem>
       </varlistentry>
@@ -712,7 +758,8 @@
 
     <para>You will note that the commands that result in state transitions use
     the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
-    That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
+    That is because the actual transitions are done by
+    <command>/usr/share/shorewall/firewall</command>;
     <command>/sbin/shorewall</command> runs <quote>firewall</quote> according
     to the following table:</para>
 
@@ -757,7 +804,8 @@
 
             <entry>firewall restart</entry>
 
-            <entry>Logically equivalent to <quote>firewall stop;firewall start</quote></entry>
+            <entry>Logically equivalent to <quote>firewall stop;firewall
+            start</quote></entry>
           </row>
 
           <row>
@@ -805,7 +853,7 @@
           <row>
             <entry>shorewall try</entry>
 
-            <entry>firewall -c &#60;new configuration&#62; restart If
+            <entry>firewall -c &lt;new configuration&gt; restart If
             unsuccessful then firewall start (standard configuration) If
             timeout then firewall restart (standard configuration)</entry>