diff --git a/Shorewall/rules b/Shorewall/rules
index 48bee3c11..11a6c9176 100755
--- a/Shorewall/rules
+++ b/Shorewall/rules
@@ -47,8 +47,21 @@
 #					    (those) zone(s).
 #				LOG      -- Simply log the packet and continue.
 #
-#			May optionally be followed by ":" and a syslog log
-#			level (e.g, REJECT:info). This causes the packet to be
+#			You may rate-limit the rule by optionally
+#			following ACCEPT,DNAT[-] or REDIRECT[-] with
+# 
+#				< <rate>/<interval>:<burst> >
+#
+#			where <rate> is the number of connections per 
+#			<interval> ("sec" or "min") and <burst> is the
+#			largest burst permitted. There may be
+#			no whitespace embedded in the specification.
+#
+#				Example: ACCEPT<10/sec:20>
+#
+#			The ACTION (and rate limit) may optionally be followed
+#			by ":" and a syslog log level (e.g, REJECT:info or
+#			DNAT<4/sec:8>:debugging). This causes the packet to be
 #			logged at the specified level.
 #
 #			You may also specify ULOG (must be in upper case) as a
@@ -56,19 +69,6 @@
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
-#			Finally, you may rate-limit the rule by optionally
-#			ending the ACTION with
-# 
-#				< <rate>/<interval>:<burst> >
-#
-#			where <rate> is the number of connections per 
-#			<interval> ("sec" or "min") and <burst> is the
-#			largest burst permitted. Rate limiting may only be
-#			used with ACCEPT, DNAT and REDIRECT and there may be
-#			no whitespace embedded in the specification.
-#
-#				Example: <10/sec:20>
-#
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or
@@ -219,6 +219,14 @@
 #	#                                       PORT    PORT(S) DEST
 #	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
+#	Example: Forward all http connection requests from the internet
+#		 to local system 192.168.1.3 with a limit of 3 per second and
+#		 a maximum burst of 10
+#
+#	#ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#                                       	PORT    PORT(S) DEST
+#	DNAT<3/sec:10>	net	loc:192.168.1.3 tcp	http
+#
 #	Example: Redirect all locally-originating www connection requests to
 #		 port 3128 on the firewall (Squid running on the firewall
 #		 system) except when the destination address is 192.168.2.2