diff --git a/manpages/shorewall-policy.xml b/manpages/shorewall-policy.xml
new file mode 100644
index 000000000..b113994c3
--- /dev/null
+++ b/manpages/shorewall-policy.xml
@@ -0,0 +1,237 @@
+
+
+
+ shorewall-policy
+
+ 5
+
+
+
+ policy
+
+ Shorewall policy file
+
+
+
+
+ /etc/shorewall/policy
+
+
+
+
+ Description
+
+ This file defines the high-level policy for connections between
+ zones defined in /etc/shorewall/zones.
+
+
+ The order of entries in this file is important
+
+ This file determines what to do with a new connection request if
+ we don't get a match from the /etc/shorewall/rules file . For each
+ source/destination pair, the file is processed in order until a match is
+ found ("all" will match any client or server).
+
+
+
+ Intra-zone policies are pre-defined
+
+ For $FW and for all of the zoned defined in /etc/shorewall/zones,
+ the POLICY for connections from the zone to itself is ACCEPT (with no
+ logging or TCP connection rate limiting but may be overridden by an
+ entry in this file. The overriding entry must be explicit (cannot use
+ "all" in the SOURCE or DEST).
+
+ Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
+ then the implicit policy to/from any sub-zone is CONTINUE. These
+ implicit CONTINUE policies may also be overridden by an explicit entry
+ in this file.
+
+
+ The columns in the file are as follows.
+
+
+
+ SOURCE
+
+
+ Source zone. Must be the name of a zone defined in
+ /etc/shorewall/zones, $FW or "all".
+
+
+
+
+ DEST
+
+
+ Destination zone. Must be the name of a zone defined in
+ /etc/shorewall/zones, $FW or "all"
+
+
+
+
+ POLICY
+
+
+ Policy if no match from the rules file is found. Must be
+ "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
+
+
+
+ ACCEPT
+
+
+ Accept the connection.
+
+
+
+
+ DROP
+
+
+ Ignore the connection request.
+
+
+
+
+ REJECT
+
+
+ For TCP, send RST. For all other, send an "unreachable"
+ ICMP.
+
+
+
+
+ CONTINUE
+
+
+ Pass the connection request past any other rules that it
+ might also match (where the source or destination zone in
+ those rules is a superset of the SOURCE or DEST in this
+ policy).
+
+
+
+
+ NONE
+
+
+ Assume that there will never be any packets from this
+ SOURCE to this DEST. Shorewall will not create any
+ infrastructure to handle such packets and you may not have any
+ rules with this SOURCE and DEST in the /etc/shorewall/rules
+ file such a packet _is_ received, the result is undefined.
+ NONE may not be used if the SOURCE or DEST columns contain the
+ firewall zone ($FW) or "all".
+
+
+
+
+ If the policy is DROP or REJECT then the policy may be
+ followed by ":" and one of the following:
+
+
+
+ The word "None" or "none". This causes any default action
+ defined in /etc/shorewall/shorewall.conf to be omitted for this
+ policy.
+
+
+
+ The name of an action (requires that USE_ACTIONS=Yes in
+ shorewall.conf). That action will be invoked before the policy
+ is enforced.
+
+
+
+ The name of a macro. The rules in that macro will be
+ applied before the policy is enforced. This does not require
+ USE_ACTIONS=Yes.
+
+
+
+
+
+
+ LOG LEVEL (Optional)
+
+
+ If supplied, each connection handled under the default POLICY
+ is logged at that level. If not supplied, no log message is
+ generated. See syslog.conf(5) for a description of log
+ levels.
+
+ You may also specify ULOG (must be in upper case). This will
+ log to the ULOG target and sent to a separate log through use of
+ ulogd (http://www.gnumonks.org/projects/ulogd).
+
+ If you don't want to log but need to specify the following
+ column, place "-" here.
+
+
+
+
+ BURST:LIMIT
+
+
+ If passed, specifies the maximum TCP connection rate and the
+ size of an acceptable burst. If not specified, TCP connections are
+ not limited.
+
+
+
+
+
+
+ Example
+
+
+
+ All connections from the local network to the internet are
+ allowed
+
+
+
+ All connections from the internet are ignored but logged at
+ syslog level KERNEL.INFO.
+
+
+
+ All other connection requests are rejected and logged at level
+ KERNEL.INFO.
+
+
+
+ #SOURCE DEST POLICY LOG BURST:LIMIT
+# LEVEL
+loc net ACCEPT
+net all DROP info
+#
+# THE FOLLOWING POLICY MUST BE LAST
+#
+all all REJECT info
+
+
+
+ FILES
+
+ /etc/shorewall/policy
+
+
+
+ See ALSO
+
+ http://shorewall.net/Documentation.htm#Policy
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+ shorewall-route_routes(5), shorewall-routestopped(5), shorewall-rules(5),
+ shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+ shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+ shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-zones.xml b/manpages/shorewall-zones.xml
index f3b54f0a9..0d8560855 100644
--- a/manpages/shorewall-zones.xml
+++ b/manpages/shorewall-zones.xml
@@ -59,7 +59,7 @@
Example:
- #ZONE TYPE OPTIONS
+ #ZONE TYPE OPTIONS IN OPTIONS OUT OPTIONS
a ipv4
b ipv4
c:a,b ipv4