diff --git a/manpages/shorewall-hosts.xml b/manpages/shorewall-hosts.xml
new file mode 100644
index 000000000..489088fc4
--- /dev/null
+++ b/manpages/shorewall-hosts.xml
@@ -0,0 +1,218 @@
+
+
+
+ shorewall-hosts
+
+ 5
+
+
+
+ hosts
+
+ Shorewall file
+
+
+
+
+ /etc/shorewall/hosts
+
+
+
+
+ Description
+
+ This file is used to define zones in terms of subnets and/or
+ individual IP addresses. Most simple setups don't need to (should not)
+ place anything in this file.
+
+ The order of entries in this file is not significant in determining
+ zone composition. Rather, the order that the zones are defined in
+ shorewall-zones(5) determines the order in which the records in this file
+ are interpreted.
+
+
+ The only time that you need this file is when you have more than
+ one zone connected through a single interface.
+
+
+
+ If you have an entry for a zone and interface in
+ shorewall-interfaces(5) then do not include any entries in this file for
+ that same (zone, interface) pair.
+
+
+ The columns in the file are as follows.
+
+
+
+ ZONE
+
+
+ The name of a zone defined in shorewall-zones(5). You may not
+ list the firewall zone in this column.
+
+
+
+
+ HOST(S)
+
+
+ The name of an interface defined in the
+ shorewall-interfaces(5) file followed by a colon (":") and a
+ comma-separated list whose elements are either:
+
+
+
+ The IP address of a host.
+
+
+
+ A network in CIDR format.
+
+
+
+ An IP address range of the form
+ low.address-high.address.
+ Your kernel and iptables must have iprange match support.
+
+
+
+ A physical port name; only allowed when the interface
+ names a bridge created by the brctl(8) addbr
+ command. This port must not be defined in
+ shorewall-interfaces(5) and may optionally followed by a colon
+ (":") and a host or network IP or a range. See
+ http://www.shorewall.net/bridge.html for details. Specifying a
+ physical port name requires that you have BRIDGING=Yes in
+ shorewall.conf(5).
+
+
+
+ Examples:
+
+
+ eth1:192.168.1.3
+
+ eth2:192.168.2.0/24
+
+ eth3:192.168.2.0/24,192.168.3.1
+
+ br0:eth4
+
+ br0:eth0:192.168.1.16/28
+
+ eth4:192.168.1.44-192.168.1.49
+
+ eth2:+Admin
+
+
+
+
+
+ OPTIONS
+
+
+ A comma-separated list of options from the following list. The
+ order in which you list the options is not significant but the list
+ should have no embedded white space.
+
+
+
+ maclist
+
+
+ Connection requests from these hosts are compared
+ against the contents of shorewall-maclist(5). If this option
+ is specified, the interface must be an ethernet NIC or
+ equivalent and must be up before Shorewall is started.
+
+
+
+
+ routeback
+
+
+ Shorewall should set up the infrastructure to pass
+ packets from this/these address(es) back to themselves. This
+ is necessary if hosts in this group use the services of a
+ transparent proxy that is a member of the group or if DNAT is
+ used to send requests originating from this group to a server
+ in the group.
+
+
+
+
+ blacklist
+
+
+ This option only makes sense for ports on a
+ bridge.
+
+ Check packets arriving on this port against the
+ shorewall-blacklist(5) file.
+
+
+
+
+ tcpflags
+
+
+ Packets arriving from these hosts are checked for
+ certain illegal combinations of TCP flags. Packets found to
+ have such a combination of flags are handled according to the
+ setting of TCP_FLAGS_DISPOSITION after having been logged
+ according to the setting of TCP_FLAGS_LOG_LEVEL.
+
+
+
+
+ nosmurfs
+
+
+ This option only makes sense for ports on a
+ bridge.
+
+ Filter packets for smurfs (packets with a broadcast
+ address as the source).
+
+ Smurfs will be optionally logged based on the setting of
+ SMURF_LOG_LEVEL in shorewall.conf(5). After logging, the
+ packets are dropped.
+
+
+
+
+ ipsec
+
+
+ The zone is accessed via a kernel 2.6 ipsec SA. Note
+ that if the zone named in the ZONE column is specified as an
+ IPSEC zone in the shorewall-zones(5) file then you do NOT need
+ to specify the 'ipsec' option here.
+
+
+
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/hosts
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-interfaces(5), shorewall-ipsec(5),
+ shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+ shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
+ shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file
diff --git a/manpages/shorewall-providers.xml b/manpages/shorewall-providers.xml
new file mode 100644
index 000000000..45fe24858
--- /dev/null
+++ b/manpages/shorewall-providers.xml
@@ -0,0 +1,244 @@
+
+
+
+ shorewall-providers
+
+ 5
+
+
+
+ providers
+
+ Shorewall Providers file
+
+
+
+
+ /etc/shorewall/providers
+
+
+
+
+ Description
+
+ This file is used to define additional routing tables. You will want
+ to define an additional table if:
+
+
+
+ You have connections to more than one ISP or multiple
+ connections to the same ISP
+
+
+
+ You run Squid as a transparent proxy on a host other than the
+ firewall.
+
+
+
+ You have other requirements for policy routing.
+
+
+
+ Each entry in the file defines a single routing table.
+
+ The columns in the file are as follows.
+
+
+
+ NAME
+
+
+ The provider name. Must be a valid shell variable name. The
+ names 'local', 'main', 'default' and 'unspec' are reserved and may
+ not be used as provider names.
+
+
+
+
+ NUMBER
+
+
+ The provider number -- a number between 1 and 15. Each
+ provider must be assigned a unique value.
+
+
+
+
+ MARK
+
+
+ A FWMARK value used in your shorewall-tcrules(5) file to
+ direct packets to this provider.
+
+ If HIGH_ROUTE_MARKS=Yes in shorewall.conf(5), then the value
+ must be a multiple of 256 between 256 and 65280 or their hexadecimal
+ equivalents (0x0100 and 0xff00 with the low-order byte of the value
+ being zero). Otherwise, the value must be between 1 and 255. Each
+ provider must be assigned a unique mark value.
+
+
+
+
+ DUPLICATE
+
+
+ The name of an existing table to duplicate to create this
+ routing. May be 'main' or the name of a previous provider. You may
+ select only certain entries from the table to copy by using the COPY
+ column below.
+
+
+
+
+ INTERFACE
+
+
+ The name of the network interface to the provider. Must be
+ listed in shorewall-interfaces(5).
+
+
+
+
+ GATEWAY
+
+
+ The IP address of the provider's gateway router.
+
+ You can enter "detect" here and Shorewall will attempt to
+ detect the gateway automatically.
+
+ For PPP devices, you may omit this column.
+
+
+
+
+ OPTIONS (Optional)
+
+
+ A comma-separated list selected from the following. The order
+ of the options is not significant but the list may contain no
+ embedded whitespace.
+
+
+
+ track
+
+
+ If specified, inbound connections on this interface are
+ to be tracked so that responses may be routed back out this
+ same interface.
+
+ You want to specify 'track' if internet hosts will be
+ connecting to local servers through this provider.
+
+
+
+
+ balance
+
+
+ The providers that have 'balance' specified will get
+ outbound traffic load-balanced among them. By default, all
+ interfaces with 'balance' specified will have the same weight
+ (1). You can change the weight of an interface by specifiying
+ balance=<weight> where <weight> is the weight of
+ the route out of this interface.
+
+
+
+
+ loose
+
+
+ Shorewall normally adds a routing rule for each IP
+ address on an interface which forces traffic whose source is
+ that IP address to be sent using the routing table for that
+ interface. Setting 'loose' prevents creation of such rules on
+ this interface.
+
+
+
+
+ optional
+
+
+ If the interface named in the INTERFACE column is not
+ up and configured with an IPv4 address then ignore this
+ provider.
+
+
+
+
+
+
+
+ COPY
+
+
+ A comma-separated lists of other interfaces on your firewall.
+ Usually used only when DUPLICATE is 'main'. Only copy routes through
+ INTERFACE and through interfaces listed here. If you only wish to
+ copy routes through INTERFACE, enter 'none' here.
+
+
+
+
+
+
+ Examples
+
+
+
+ Example 1:
+
+
+ You run squid in your DMZ on IP address 192.168.2.99. Your DMZ
+ interface is eth2
+
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS
+ Squid 1 1 - eth2 192.168.2.99 -
+
+
+
+
+ Example 2:
+
+
+ eth0 connects to ISP 1. The IP address of eth0 is
+ 206.124.146.176 and the ISP's gateway router has IP address
+ 206.124.146.254.
+
+ eth1 connects to ISP 2. The IP address of eth1 is
+ 130.252.99.27 and the ISP's gateway router has IP address
+ 130.252.99.254.
+
+ eth2 connects to a local network.
+
+ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+ ISP1 1 1 main eth0 206.124.146.254 track,balance eth2
+ ISP2 2 2 main eth1 130.252.99.254 track,balance eth2
+
+
+
+
+
+
+ FILES
+
+ /etc/shorewall/providers
+
+
+
+ See ALSO
+
+ shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+ shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
+ shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+ shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+ shorewall-policy(5), shorewall-proxyarp(5), shorewall-route_routes(5),
+ shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+ shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+ shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
+
+
\ No newline at end of file