Merge branch 'master' of ssh://git.code.sf.net/p/shorewall/code

2024-11-26 17:43:15 +01:00 · 2016-02-15 10:51:31 -08:00 · 2016-02-15 10:51:31 -08:00 · ddd4eb16b5
commit ddd4eb16b5
parent bf8c131545 fcf435bc16
4 changed files with 174 additions and 134 deletions
--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@ -74,16 +74,14 @@
    have a web server in your DMZ connected to eth1, then to count HTTP
    traffic in both directions requires two rules:</para>
-    <programlisting>        #ACTION CHAIN   SOURCE  DESTINATION     PROTOCOL        DEST            SOURCE
+    <programlisting>        #ACTION         CHAIN   SOURCE  DEST    PROTO   DPORT   SPORT   USER    MARK    IPSEC
        #                                                       PORT            PORT
        DONE            -       eth0    eth1    tcp     80
        DONE            -       eth1    eth0    tcp     -       80</programlisting>
    <para>Associating a counter with a chain allows for nice reporting. For
    example:</para>
-    <programlisting>        #ACTION         CHAIN   SOURCE  DESTINATION     PROTOCOL        DEST            SOURCE
+    <programlisting>        #ACTION         CHAIN   SOURCE  DEST    PROTO   DPORT   SPORT   USER    MARK    IPSEC
        #                                                               PORT            PORT
        web:COUNT       -       eth0    eth1    tcp     80
        web:COUNT       -       eth1    eth0    tcp     -       80
        web:COUNT       -       eth0    eth1    tcp     443
@ -110,8 +108,7 @@
    <para>Here is a slightly different example:</para>
-    <programlisting>        #ACTION         CHAIN   SOURCE  DESTINATION     PROTOCOL        DEST            SOURCE
+    <programlisting>        #ACTION         CHAIN   SOURCE  DEST    PROTO   DPORT   SPORT   USER    MARK    IPSEC
        #                                                               PORT            PORT
        web             -       eth0    eth1    tcp     80
        web             -       eth1    eth0    tcp     -       80
        web             -       eth0    eth1    tcp     443
@ -152,8 +149,7 @@
      you have to reverse the rules below.</para>
    </caution>
-    <programlisting>        #ACTION         CHAIN   SOURCE  DESTINATION     PROTOCOL        DEST            SOURCE
+    <programlisting>        #ACTION         CHAIN   SOURCE  DEST    PROTO   DPORT   SPORT   USER    MARK    IPSEC
        #                                                               PORT            PORT
        web             -       eth0    -       tcp     80
        web             -       -       eth0    tcp     -       80
        web             -       eth0    -       tcp     443
@ -309,7 +305,7 @@
    <para>Section headers have the form:</para>
-    <para><option>SECTION</option>
+    <para><option>?SECTION</option>
    <replaceable>section-name</replaceable></para>
    <para>When sections are enabled:</para>
@ -414,17 +410,17 @@
      lives on the firewall itself.</para>
    </caution>
-    <programlisting>#ACTION				CHAIN           SOURCE                          DESTINATION                   PROTO   DEST            SOURCE  USER/    MARK     IPSEC
+    <programlisting>
-#                                      		                                                              	      PORT(S)         PORT(S) GROUP
+#ACTION                         CHAIN   SOURCE  DEST    PROTO   DPORT   SPORT   USER    MARK    IPSEC
-SECTION INPUT
+?SECTION INPUT
 ACCOUNT(fw-net,$FW_NET)		-	COM_IF
 ACCOUNT(dmz-net,$DMZ_NET)  	-	COM_IF
-SECTION OUTPUT
+?SECTION OUTPUT
 ACCOUNT(fw-net,$FW_NET)		-	-	COM_IF
 ACCOUNT(dmz-net,$DMZ_NET)   	-	-	COM_IF
-SECTION FORWARD
+?SECTION FORWARD
 ACCOUNT(loc-net,$INT_NET)   	-	COM_IF	INT_IF
 ACCOUNT(loc-net,$INT_NET)   	-	INT_IF	COM_IF
 </programlisting>
@ -504,7 +500,7 @@ ACCOUNT(loc-net,$INT_NET)   	-		INT_IF				COM_IF
    is eth1 with network 172.20.1.0/24. To account for all traffic between the
    WAN and LAN interfaces:</para>
-    <programlisting>#ACTION                         CHAIN        SOURCE              DEST          ...
+    <programlisting>#ACTION                         CHAIN   SOURCE  DEST    PROTO   DPORT   SPORT   USER    MARK    IPSEC
 ACCOUNT(net-loc,172.20.1.0/24)  -       eth0    eth1
 ACCOUNT(net-loc,172.20.1.0/24)  -       eth1    eth0</programlisting>
--- a/docs/Audit.xml
+++ b/docs/Audit.xml
@ -139,9 +139,8 @@
        <para>Example:</para>
-        <programlisting>#SOURCE	DEST	POLICY		LOG
+        <programlisting>#SOURCE         DEST            POLICY
-#				LEVEL
+net	        $FW             DROP:audit</programlisting>
 net	fw      DROP:audit</programlisting>
        <para>It is allowed to also specify a log level on audited policies
        resulting in both auditing and logging.</para>
@ -330,11 +329,11 @@ A_ACCEPT:info  loc          net        ...</programlisting>
        <para> The parameters can be passed in the POLICY column of the policy
        file. </para>
-        <programlisting>SOURCE	DEST	POLICY
+        <programlisting>#SOURCE         DEST            POLICY
 net	        all	        DROP:Drop(audit):audit  #Same as DROP:A_DROP:audit
 </programlisting>
-        <programlisting>SOURCE	DEST	POLICY
+        <programlisting>#SOURCE         DEST            POLICY
 net             all             DROP:Drop(-,DROP) #DROP rather than REJECT Auth
 </programlisting>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@ -207,28 +207,26 @@
      port-forwarding rule <emphasis>from the net</emphasis> to a local system
      is as follows:</para>
-      <programlisting>#ACTION    SOURCE      DEST                                   PROTO        DEST PORT
+      <programlisting>#ACTION    SOURCE      DEST                                   PROTO        DPORT
 DNAT       net         loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>]      <emphasis>protocol</emphasis>     <emphasis>port-number</emphasis></programlisting>
      <para>So to forward UDP port 7777 to internal system 192.168.1.5, the
      rule is:</para>
-      <programlisting>#ACTION    SOURCE   DEST             PROTO    DEST PORT
+      <programlisting>#ACTION    SOURCE   DEST             PROTO    DPORT
 DNAT       net      loc:192.168.1.5  udp      7777</programlisting>
      <para>If you want to forward requests directed to a particular address (
      <emphasis>external-IP</emphasis> ) on your firewall to an internal
      system:</para>
-      <programlisting>#ACTION SOURCE DEST                                   PROTO       DEST PORT     SOURCE  ORIGINAL
+      <programlisting>#ACTION SOURCE DEST                                   PROTO       DPORT         SPORT   ORIGDEST
 #                                                                               PORT    DEST.
 DNAT    net    loc:<emphasis>local-IP-address</emphasis>&gt;[:<emphasis>local-port</emphasis>]     <emphasis>protocol</emphasis>    <emphasis>port-number</emphasis>   -       <emphasis>external-IP</emphasis></programlisting>
      <para>If you want to forward requests from a particular Internet address
      ( <emphasis>address</emphasis> ):</para>
-      <programlisting>#ACTION SOURCE        DEST                                   PROTO       DEST PORT     SOURCE  ORIGINAL
+      <programlisting>#ACTION SOURCE        DEST                                   PROTO       DPORT         SPORT   ORIGDEST
 #                                                                                      PORT    DEST.
 DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</emphasis>[:<emphasis>local-port</emphasis>]  <emphasis>    protocol</emphasis>    <emphasis>port-number</emphasis>   -</programlisting>
      <para>Finally, if you need to forward a range of ports, in the DEST PORT
@ -386,7 +384,7 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
        <para><emphasis role="bold">Answer:</emphasis>In
        /<filename>etc/shorewall/rules</filename>:</para>
-        <programlisting>#ACTION    SOURCE   DEST                PROTO    DEST PORT
+        <programlisting>#ACTION    SOURCE   DEST                PROTO    DPORT
 DNAT       net      loc:192.168.1.3:22  tcp      1022</programlisting>
      </section>
@ -448,8 +446,7 @@ DNAT    net     fw:192.168.1.1:22       tcp     4104</programlisting>
          </listitem>
          <listitem>
-            <para>You have this rule on the Shorewall system:<programlisting>#ACTION    SOURCE        DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
+            <para>You have this rule on the Shorewall system:<programlisting>#ACTION    SOURCE        DEST               PROTO    DPORT       SPORT     ORIGDEST
 #                                                                PORT      DEST.
 DNAT       net           loc:192.168.1.4    tcp      21          -         206.124.146.176</programlisting></para>
          </listitem>
@ -514,14 +511,22 @@ eth1:192.168.1.4        0.0.0.0/0          192.168.1.1        tcp           21</
        that your Internet zone is named <emphasis>net</emphasis> and connects
        on interface <filename class="devicefile">eth0</filename>:</para>
-        <para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION    SOURCE        DEST                   PROTO    DEST PORT   SOURCE    ORIGINAL
+        <para>In <filename>/etc/shorewall/rules</filename>:<programlisting>#ACTION    SOURCE        DEST                   PROTO    DPORT   SPORT   ORIGDEST
-#                                                                    PORT      DEST.
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 DNAT       net           net:66.249.93.111:993  tcp      80      -       206.124.146.176</programlisting></para>
        <para>In <filename>/etc/shorewall/interfaces</filename>, specify the
        <emphasis role="bold">routeback</emphasis> option on
-        eth0:<programlisting>#ZONE      INTERFACE     BROADCAST            OPTIONS
+        eth0:<programlisting>?FORMAT 2
-net        eth0          detect               <emphasis role="bold">routeback</emphasis></programlisting></para>
+#ZONE		INTERFACE		OPTIONS
 net             eth0                    <emphasis role="bold">routeback</emphasis></programlisting></para>
        <para><filename>/etc/shorewall/masq</filename>;<programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth0:66.249.93.111      0.0.0.0/0       206.124.146.176 tcp     993</programlisting></para>
@ -542,8 +547,7 @@ eth0:66.249.93.111  0.0.0.0/0   206.124.146.176  tcp          993</programlistin
        <para><emphasis role="bold">Answer</emphasis>: Use this rule.</para>
-        <programlisting>#ACTION         SOURCE        DEST        PROTO        DEST
+        <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT
 #                                                      PORT(S)
 REDIRECT        net             22              tcp     9022</programlisting>
        <para>Note that the above rule will also allow connections from the
@ -617,8 +621,7 @@ TOS=0x00 PREC=0x00 TTL=63 ID=23035 PROTO=UDP SPT=6376 DPT=2055 LEN=1472</program
      <para>Example:</para>
-      <programlisting>#ACTION    SOURCE        DEST                   PROTO    DEST PORT   SOURCE    ORIGINAL
+      <programlisting>#ACTION         SOURCE          DEST                    PROTO   DPORT   SPORT   ORIGDEST
 #                                                                    PORT      DEST.
 DNAT            net             net:192.168.4.22        tcp     80,443  -       <emphasis
          role="bold">206.124.146.178</emphasis></programlisting>
    </section>
@ -704,14 +707,15 @@ DNAT       net           net:192.168.4.22       tcp      80,443      -         <
        <listitem>
          <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-          <programlisting>#ZONE    INTERFACE    BROADCAST    OPTIONS
+          <programlisting>?FORMAT 2
-loc      eth1         detect       <emphasis role="bold">routeback</emphasis>    </programlisting>
+#ZONE           INTERFACE               OPTIONS
 loc             eth1                    <emphasis role="bold">routeback</emphasis></programlisting>
        </listitem>
        <listitem>
          <para>In <filename>/etc/shorewall/masq</filename>:</para>
-          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
+          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 <emphasis role="bold">eth1:192.168.1.5        192.168.1.0/24  192.168.1.254   tcp     www</emphasis></programlisting>
          <para>Note: The technique described here is known as
@ -721,15 +725,22 @@ loc      eth1         detect       <emphasis role="bold">routeback</emphasis>
          <emphasis>external IP address</emphasis> be used as the
          source:</para>
-          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT(S)
+          <programlisting>#INTERFACE              SOURCE          ADDRESS         PROTO   PORT
 eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</emphasis>  tcp     www</programlisting>
        </listitem>
        <listitem>
          <para>In <filename>/etc/shorewall/rules</filename>:</para>
-          <programlisting>#ACTION    SOURCE       DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST
-#                                                               PORT      DEST.
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 <emphasis role="bold">DNAT            loc             loc:192.168.1.5 tcp     www     -       130.151.100.69</emphasis></programlisting>
          <para>That rule (and the second one in the previous bullet) only
@ -741,8 +752,15 @@ eth1:192.168.1.5        192.168.1.0/24  <emphasis role="bold">130.151.100.69</em
          <para>and make your DNAT rule:</para>
-          <programlisting>#ACTION    SOURCE        DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST
-#                                                                PORT      DEST.
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 DNAT            loc             loc:192.168.1.5 tcp     www     -       <emphasis
              role="bold">$ETH0_IP</emphasis></programlisting>
@ -825,13 +843,13 @@ DNAT       loc           loc:192.168.1.5    tcp      www         -         <emph
          <para>In <filename>/etc/shorewall/interfaces</filename>:</para>
-          <programlisting>#ZONE    INTERFACE    BROADCAST       OPTIONS
+          <programlisting>?FORMAT 2
-dmz      eth2         192.168.2.255   <emphasis role="bold">routeback</emphasis> </programlisting>
+#ZONE           INTERFACE               OPTIONS
 dmz             eth2                    <emphasis role="bold">routeback</emphasis> </programlisting>
          <para>In <filename>/etc/shorewall/masq</filename>:</para>
-          <programlisting>#INTERFACE:         SOURCE           ADDRESS
+          <programlisting>#INTERFACE              SOURCE
 #ADDRESS
 eth2:192.168.1.2        192.168.2.0/24</programlisting>
          <para>In <filename>/etc/shorewall/nat</filename>, be sure that you
@ -862,8 +880,15 @@ eth2:192.168.1.2    192.168.2.0/24</programlisting>
        <para>You can enable access to the server from your local network
        using the firewall's external IP address by adding this rule:</para>
-        <programlisting>#ACTION    SOURCE   DEST                PROTO    DEST PORT(S)    SOURCE      ORIGINAL
+        <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST
-#                                                                PORT        DEST                 
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 <emphasis role="bold">DNAT            loc             dmz:192.168.2.4 tcp     80      -       206.124.146.176</emphasis></programlisting>
        <para>If your external IP address is dynamic, then you must do the
@ -875,8 +900,15 @@ eth2:192.168.1.2    192.168.2.0/24</programlisting>
        <para>and make your DNAT rule:</para>
-        <programlisting>#ACTION    SOURCE        DEST               PROTO    DEST PORT   SOURCE    ORIGINAL
+        <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT   SPORT   ORIGDEST
-#                                                                PORT      DEST.
+
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 DNAT            loc             dmz:192.168.2.4 tcp     80      -       <emphasis
            role="bold">$ETH0_IP</emphasis></programlisting>
@ -1433,16 +1465,23 @@ net-fw DROP  eth2 5 packets from 61.158.162.9 to 206.124.146.177</programlisting
        <para><emphasis role="bold">Answer:</emphasis> Temporarily add the
        following rule:</para>
-        <programlisting>#ACTION   SOURCE    DEST    PROTO    DEST PORT(S)
+        <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT
 DROP      net       fw      udp      10619</programlisting>
-        <para>Alternatively, if you do not set BLACKLIST_LOGLEVEL and you have
+?SECTION ALL
-        specifed the 'blacklist' option on your external interface in
+?SECTION ESTABLISHED
-        <filename>/etc/shorewall/interfaces</filename>, then you can blacklist
+?SECTION RELATED
-        the port. In <filename>/etc/shorewall/blacklist</filename>:</para>
+?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
-        <programlisting>#ADDRESS/SUBNET         PROTOCOL        PORT
+DROP            net             $FW             udp     10619</programlisting>
-                       udp             10619</programlisting>
+
        <para>Alternatively, if you do not set BLACKLIST_LOGLEVEL you can blacklist
        the port. In <filename>/etc/shorewall/blrules</filename>:</para>
        <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT
 DROP            net             $FW             udp     10619</programlisting>
      </section>
      <section id="faq6d">
@ -2361,12 +2400,11 @@ gateway:~# </programlisting>
      <para><emphasis role="bold">Answer:</emphasis> Suppose that you want all
      traffic to go out through ISP1 (mark 1) unless you specify otherwise.
      Then simply add these two rules as the first marking rules in your
-      <filename>/etc/shorewall/mangle</filename>
+      <filename>/etc/shorewall/mangle</filename> (was tcrules) file:</para>
      (<filename>/etc/shorewall/tcrules</filename>) file:</para>
      <programlisting>#ACTION         SOURCE          DEST
-1:P           0.0.0.0/0
+MARK(1):P       0.0.0.0/0
-1             $FW
+MARK(1)         $FW
 <emphasis>other MARK rules</emphasis></programlisting>
      <para>Now any traffic that isn't marked by one of your other MARK rules
@ -2449,7 +2487,7 @@ root@gateway:~#</programlisting>
      at 10-12kb and adjust as necessary. Example (simple traffic
      shaping):</para>
-      <programlisting>#INTERFACE	TYPE		IN-BANDWIDTH			OUT-BANDWIDTH
+      <programlisting>#INTERFACE      TYPE            IN_BANDWIDTH            OUT_BANDWIDTH
 eth0            External        50mbit:200kb            5.0mbit:100kb:200ms:100mbit:<emphasis
          role="bold">10kb</emphasis>
 </programlisting>
@ -2495,8 +2533,7 @@ root@gateway:/etc/shorewall#
      <para>Example from /etc/shorewall/tcdevices:</para>
-      <programlisting>#NUMBER:        IN-BANDWIDTH            OUT-BANDWIDTH   OPTIONS
+      <programlisting>#INTERFACE      IN_BANDWITH             OUT_BANDWIDTH   OPTIONS
 #INTERFACE
 1:COMB_IF       <emphasis role="bold">~20mbit:250ms:4sec</emphasis>      ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0</programlisting>
      <para>To create a rate-estimated filter, precede the bandwidth with a
@ -2674,7 +2711,15 @@ VS3=fw:192.168.2.14</programlisting>
      <para><filename>/etc/shorewall/rules</filename>:</para>
-      <programlisting>#ACTION      SOURCE         DEST        PROTO         DEST PORT(S)
+      <programlisting>#ACTION         SOURCE          DEST            PROTO   DPORT
 ?SECTION ALL
 ?SECTION ESTABLISHED
 ?SECTION RELATED
 ?SECTION INVALID
 ?SECTION UNTRACKED
 ?SECTION NEW
 ACCEPT          $VS1            net             tcp     25
 DNAT            net             $VS1            tcp     25
 etc...</programlisting>
@ -2925,7 +2970,7 @@ else
    <section id="faq26">
      <title>(FAQ 26) When I try to use any of the SYN options in nmap on or
      behind the firewall, I get <quote>operation not permitted</quote>. How
-      can I use nmap with Shorewall?"</title>
+      can I use nmap with Shorewall?</title>
      <para><emphasis role="bold">Answer:</emphasis> Temporarily remove any
      <emphasis role="bold">rejNotSyn</emphasis>, <emphasis
@ -2993,8 +3038,8 @@ REJECT    fw            net:pagead2.googlesyndication.com    all</programlisting
      was equivalent to:</para>
      <para><programlisting>#ACTION         SOURCE          DEST                    PROTO
-REJECT    fw            net:216.239.37.99    all
+REJECT          $FW             net:216.239.37.99       all
-REJECT    fw            net:216.239.39.99    all</programlisting>Given that
+REJECT          $FW             net:216.239.39.99       all</programlisting>Given that
      name-based multiple hosting is a common practice (another example:
      lists.shorewall.net and www1.shorewall.net are both hosted on the same
      system with a single IP address), it is not possible to filter
@ -3079,10 +3124,9 @@ gateway:~# </programlisting>
      <para><emphasis role="bold">Answer:</emphasis> Add these two
      policies:</para>
-      <programlisting>#SOURCE            DESTINATION             POLICY            LOG              LIMIT:BURST
+      <programlisting>#SOURCE         DEST            POLICY  LOGLEVEL        LIMIT   CONNLIMIT
 #                                                            LEVEL
 $FW             loc             ACCEPT
-loc                $FW                     ACCEPT           </programlisting>
+loc             $FW             ACCEPT</programlisting>
      <para>You should also delete any ACCEPT rules from $FW-&gt;loc and
      loc-&gt;$FW since those rules are redundant with the above
@ -3161,7 +3205,7 @@ EXT_IF:172.20.1.2	     	0.0.0.0/0		172.20.1.254
          <programlisting>#INTERFACE              SOURCE          ADDRESS
-COMMENT DSL Modemhttp://ipv6.shorewall.net/SimpleBridge.html
+COMMENT DSL Modem
 EXT_IF:192.168.1.1      0.0.0.0/0       192.168.1.254
 </programlisting>
@ -3193,6 +3237,7 @@ EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
      role="bold">fw</emphasis>:</para>
      <programlisting>#ZONE           TYPE            OPTIONS
 <emphasis role="bold">fw</emphasis>              firewall</programlisting>
      <para>So, using the default or sample configurations, writing <emphasis
@ -3203,6 +3248,7 @@ EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
      <emphasis role="bold">gate</emphasis>.</para>
      <programlisting>#ZONE           TYPE            OPTIONS
 <emphasis role="bold">gate</emphasis>            firewall</programlisting>
      <section id="faq95a">
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@ -92,7 +92,7 @@
    <orderedlist>
      <listitem>
-        <para>Beginning with Shorewall 4.6.0, ection headers are now preceded
+        <para>Beginning with Shorewall 4.6.0, section headers are now preceded
        by '?' (e.g., '?SECTION ...'). If your configuration contains any bare
        'SECTION' entries, the following warning is issued:</para>
@ -1139,8 +1139,7 @@ shorewall restart</command></programlisting> The RPMs are set up so that if
        <para>Example:</para>
-        <programlisting>#SOURCE         DEST            POLICY          LOG
+        <programlisting>#SOURCE         DEST            POLICY          LOGLEVEL
 #                                               LEVEL
 loc             net             ACCEPT
 net             all             DROP:MyDrop     info
 #