diff --git a/Shorewall-docs/Documentation.xml b/Shorewall-docs/Documentation.xml
index 28101a732..757f8d31b 100644
--- a/Shorewall-docs/Documentation.xml
+++ b/Shorewall-docs/Documentation.xml
@@ -30,8 +30,8 @@
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
- Texts. A copy of the license is included in the section entitled "GNU Free Documentation License".
+ Texts. A copy of the license is included in the section entitled
+ GNU Free Documentation License.
@@ -71,7 +71,7 @@
a parameter file installed in /etc/shorewall that defines a
- network partitioning into "zones"
+ network partitioning into zones
@@ -366,8 +366,8 @@
is reserved for use by Shorewall itself. Note that the output
produced by iptables is much easier to read if you select short
names that are three characters or less in length. The name
- "all" may not be used as a zone name nor may the zone name
- assigned to the firewall itself via the FW variable in all may not be used as a zone name nor may the zone
+ name assigned to the firewall itself via the FW variable in .
@@ -436,9 +436,9 @@
file as desired so long as you have at least one zone defined.
- If you rename or delete a zone, you should perform "shorewall
- stop; shorewall start" to install the change rather than
- "shorewall restart".
+ If you rename or delete a zone, you should perform shorewall
+ stop; shorewall start to install the change rather than
+ shorewall restart.
@@ -461,8 +461,8 @@
A zone defined in the file or
- "-". If you specify "-", you must use the file to define the zones accessed via this
+ -. If you specify -, you must use the
+ file to define the zones accessed via this
interface.
@@ -488,9 +488,10 @@
the broadcast address(es) for the sub-network(s) attached to
the interface. This should be left empty for P-T-P interfaces (ppp*,
ippp*); if you need to specify options for such an interface, enter
- "-" in this column. If you supply the special value
- "detect" in this column, the firewall will automatically
- determine the broadcast address. In order to use "detect":
+ - in this column. If you supply the special value
+ detect in this column, the firewall will
+ automatically determine the broadcast address. In order to use
+ detect:
@@ -548,7 +549,7 @@
(Added in version 1.4.2) - This option causes Shorewall
to set up handling for routing packets that arrive on this
interface back out the same interface. If this option is
- specified, the ZONE column may not contain "-".
+ specified, the ZONE column may not contain -.
@@ -560,7 +561,7 @@
to make sanity checks on the header flags in TCP packets
arriving on this interface. Checks include Null flags,
SYN+FIN, SYN+RST and FIN+URG+PSH; these flag combinations are
- typically used for "silent" port scans. Packets
+ typically used for silent port scans. Packets
failing these checks are logged according to the
TCP_FLAGS_LOG_LEVEL option in and are
disposed of according to the TCP_FLAGS_DISPOSITION option.
@@ -611,9 +612,9 @@
Beware that as IPv4 addresses become in increasingly
short supply, ISPs are beginning to use RFC 1918 addresses
within their own infrastructure. Also, many cable and DSL
- "modems" have an RFC 1918 address that can be used
- through a web browser for management and monitoring functions.
- If you want to specify norfc1918
+ modems have an RFC 1918 address that can be
+ used through a web browser for management and monitoring
+ functions. If you want to specify norfc1918
on your external interface but need to allow access to certain
addresses from the above list, see FAQ
14.
@@ -683,7 +684,8 @@
'unclean' match target in iptables are logged
but not dropped. The level at which the
packets are logged is determined by the setting of LOGUNCLEAN
- and if LOGUNCLEAN has not been set, "info" is assumed.
+ and if LOGUNCLEAN has not been set, info is
+ assumed.
@@ -900,8 +902,8 @@
HOST(S)
- The name of a network interface followed by a colon
- (":") followed by a comma-separated list either:
+ The name of a network interface followed by a colon (:)
+ followed by a comma-separated list either:
@@ -1254,7 +1256,7 @@
The name of a client zone (a zone defined in the file , the name of the
- firewall zone or "all").
+ firewall zone or all).
@@ -1264,7 +1266,7 @@
The name of a destination zone (a zone defined in the file , the name of the
- firewall zone or "all"). Shorewall automatically
+ firewall zone or all). Shorewall automatically
allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in
both the SOURCE and DEST columns.
@@ -1299,8 +1301,8 @@
role="bold">SOURCE zone to the DEST
zone will not be rate-limited. Otherwise, this column specifies the
maximum rate at which TCP connection requests will be accepted
- followed by a colon (":") followed by the maximum burst size
- that will be tolerated. Example: 10/sec:40
+ followed by a colon (:) followed by the maximum burst
+ size that will be tolerated. Example: 10/sec:40
specifies that the maximum rate of TCP connection requests allowed
will be 10 per second and a burst of 40 connections will be
tolerated. Connection requests in excess of these limits will be
@@ -1310,7 +1312,7 @@
- In the SOURCE and DEST columns, you can enter "all" to
+ In the SOURCE and DEST columns, you can enter all to
indicate all zones.
@@ -1461,7 +1463,7 @@
interface. Beginning with Shorewall 1.4.1, Shorewall will ACCEPT all
traffic from a zone to itself provided that there is no explicit policy
governing traffic from that zone to itself (an explicit policy does not
- specify "all" in either the SOURCE or DEST column) and that
+ specify all in either the SOURCE or DEST column) and that
there are no rules concerning connections from that zone to itself. If
there is an explicit policy or if there are one or more rules, then
traffic within the zone is handled just like traffic between zones is.
@@ -1962,9 +1964,9 @@
Causes the connection request to be forwarded to the
system specified in the DEST column (port forwarding).
- "DNAT" stands for "Destination
+ DNAT stands for Destination
Network Address
- Translation"
+ Translation
@@ -2039,9 +2041,9 @@
When the protocol specified in the PROTO column is TCP
- ("tcp", "TCP" or "6"), Shorewall
- will only pass connection requests (SYN packets) to user
- space. This is for compatibility with ftwall.
+ (tcp, TCP or 6),
+ Shorewall will only pass connection requests (SYN packets)
+ to user space. This is for compatibility with ftwall.
@@ -2064,7 +2066,7 @@
<rate>/<interval>[:<burst>] >
where <rate> is the number of connections per
- <interval> ("sec" or "min") and
+ <interval> (sec or min) and
<burst> is the largest burst permitted. If no burst value is
given, a value of 5 is assumed.
@@ -2086,10 +2088,10 @@
- When rate limiting is specified on a rule with "all"
- in the SOURCE or DEST fields below, the limit will apply to each
- pair of zones individually rather than as a single limit for all
- pairs of zones covered by the rule.
+ When rate limiting is specified on a rule with
+ all in the SOURCE or DEST fields below, the limit
+ will apply to each pair of zones individually rather than as a
+ single limit for all pairs of zones covered by the rule.Rate limiting may also be specified in the RATE LIMIT column
@@ -2097,11 +2099,12 @@
column.The ACTION (and rate limit) may optionally be followed by
- ":" and a syslog level
- (example: REJECT:info or ACCEPT<2/sec:4>:debugging). This
- causes the packet to be logged at the specified level prior to being
- processed according to the specified ACTION. Note: if the ACTION is
- LOG then you MUST specify a syslog level.
+ : and a syslog
+ level (example: REJECT:info or
+ ACCEPT<2/sec:4>:debugging). This causes the packet to be
+ logged at the specified level prior to being processed according to
+ the specified ACTION. Note: if the ACTION is LOG then you MUST
+ specify a syslog level.
The use of DNAT or REDIRECT requires that you have NAT
enabled.
@@ -2114,15 +2117,15 @@
Describes the source hosts to which the rule applies.. The
contents of this field must begin with the name of a zone defined in
- /etc/shorewall/zones, $FW or "all". If the ACTION is DNAT or
- REDIRECT, sub-zones may be excluded from the rule by following the
- initial zone name with "!' and a comma-separated list of
- those sub-zones to be excluded. There is an example
- above.
+ /etc/shorewall/zones, $FW or all. If the ACTION is
+ DNAT or REDIRECT, sub-zones may be excluded from the rule by
+ following the initial zone name with ! and a
+ comma-separated list of those sub-zones to be excluded. There is an
+ example above.
If the source is not 'all' then the source may be
- further restricted by adding a colon (":") followed by a
- comma-separated list of qualifiers. Qualifiers are may include:
+ further restricted by adding a colon (:) followed by
+ a comma-separated list of qualifiers. Qualifiers are may include:
@@ -2132,7 +2135,7 @@
refers to any connection requests arriving on the
specified interface (example loc:eth4). Beginning with
Shorwall 1.3.9, the interface name may optionally be followed
- by a colon (":") and an IP address or subnet
+ by a colon (:) and an IP address or subnet
(examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
@@ -2226,8 +2229,8 @@
Protocol. Must be a protocol name from /etc/protocols, a
- number or "all". Specifies the protocol of the connection
- request.
+ number or all. Specifies the protocol of the
+ connection request.
@@ -2240,9 +2243,9 @@
udp or icmp. For icmp, this column's contents are interpreted as
an icmp type. If you don't want to specify DEST PORT(S) but need
to include information in one of the columns to the right, enter
- "-" in this column. You may give a list of ports and/or port
- ranges separated by commas. Port numbers may be either integers or
- service names from /etc/services.
+ - in this column. You may give a list of ports and/or
+ port ranges separated by commas. Port numbers may be either integers
+ or service names from /etc/services.
@@ -2254,10 +2257,10 @@
or port range (a port range is specified as <low port
number>:<high port number>). If you don't want to
restrict client ports but want to specify something in the next
- column, enter "-" in this column. If you wish to specify a
- list of port number or ranges, separate the list elements with
- commas (with no embedded white space). Port numbers may be either
- integers or service names from /etc/services.
+ column, enter - in this column. If you wish to
+ specify a list of port number or ranges, separate the list elements
+ with commas (with no embedded white space). Port numbers may be
+ either integers or service names from /etc/services.
@@ -2280,13 +2283,13 @@
addresses are specified in the ORIGINAL DEST column as a
comma-separated list.
- The IP address(es) may be optionally followed by ":"
- and a second IP address. This latter address, if present, is used as
- the source address for packets forwarded to the server (This is
- called "Source NAT" or SNAT.
+ The IP address(es) may be optionally followed by
+ : and a second IP address. This latter address, if
+ present, is used as the source address for packets forwarded to the
+ server (This is called Source NAT or SNAT.
- If this list begins with "!" then the rule will only
- apply if the original destination address matches none of the
+ If this list begins with ! then the rule will
+ only apply if the original destination address matches none of the
addresses listed.
@@ -2305,10 +2308,10 @@
- If SNAT is not used (no ":" and second IP address),
- the original source address is used. If you want any destination
- address to match the rule but want to specify SNAT, simply use a
- colon followed by the SNAT address.
+ If SNAT is not used (no : and second IP
+ address), the original source address is used. If you want any
+ destination address to match the rule but want to specify SNAT,
+ simply use a colon followed by the SNAT address.
@@ -2323,7 +2326,7 @@
<rate>/<interval>[:<burst>]where <rate> is the number of connections per
- <interval> ("sec" or "min") and
+ <interval> (sec or min) and
<burst> is the largest burst permitted. If no burst value is
given, a value of 5 is assumed.
@@ -2345,10 +2348,10 @@
- When rate limiting is specified on a rule with "all"
- in the SOURCE or DEST fields below, the limit will apply to each
- pair of zones individually rather than as a single limit for all
- pairs of zones covered by the rule.
+ When rate limiting is specified on a rule with
+ all in the SOURCE or DEST fields below, the limit
+ will apply to each pair of zones individually rather than as a
+ single limit for all pairs of zones covered by the rule.Rate limiting may also be specified in the ACTION column
@@ -2356,7 +2359,7 @@
LIMIT column.If you want to specify any following columns but no rate
- limit, place "-" in this column.
+ limit, place - in this column.
@@ -2431,8 +2434,8 @@
proxy running on the firewall and listening on port 3128. Squid will of
course require access to remote web servers. This example shows yet
another use for the ORIGINAL DEST column; here, connection requests that
- were NOT (notice the "!") originally destined to 206.124.146.177
- are redirected to local port 3128.
+ were NOT (notice the !) originally destined to
+ 206.124.146.177 are redirected to local port 3128.
@@ -2668,8 +2671,8 @@
passive ports 0.0.0.0/0 65500 65534
- If you are running pure-ftpd, you would include "-p
- 65500:65534" on the pure-ftpd runline.
+ If you are running pure-ftpd, you would include -p
+ 65500:65534 on the pure-ftpd runline.The important point here is to ensure that the port range used for
FTP passive connections is unique and will not overlap with any usage on
@@ -2935,8 +2938,8 @@
- Using "DNAT-" rather than "DNAT" avoids two extra
- copies of the third rule from being generated.
+ Using DNAT- rather than DNAT avoids
+ two extra copies of the third rule from being generated.
@@ -3029,8 +3032,8 @@
The interface that will masquerade the subnet; this is
normally your internet interface. This interface name can be
- optionally qualified by adding ":" and a subnet or host IP.
- When this qualification is added, only packets addressed to that
+ optionally qualified by adding : and a subnet or host
+ IP. When this qualification is added, only packets addressed to that
host or subnet will be masqueraded. Beginning with Shorewall version
1.3.14, if you have set ADD_SNAT_ALIASES=Yes in ,
you can cause Shorewall to create an alias label
@@ -3065,8 +3068,8 @@
named interface.
- The subnet may be optionally followed by "!' and a
- comma-separated list of addresses and/or subnets that are to be
+ The subnet may be optionally followed by ! and
+ a comma-separated list of addresses and/or subnets that are to be
excluded from masquerading.
@@ -3308,7 +3311,7 @@
the interface that connects to the system. If the interface is
- obvious from the subnetting, you may enter "-" in this
+ obvious from the subnetting, you may enter - in this
column.
@@ -3327,9 +3330,9 @@
If you already have a route through INTERFACE to ADDRESS, this
- column should contain "Yes" or "yes". If you want
- Shorewall to add the route, the column should contain "No"
- or "no".
+ column should contain Yes or yes. If
+ you want Shorewall to add the route, the column should contain
+ No or no.
@@ -3343,10 +3346,10 @@
changed, you may need to flush the ARP cache on host A as well.
ISPs typically have ARP configured with long TTL (hours!) so if
- your ISPs router has a stale cache entry (as seen using "tcpdump
- -nei <external interface> host <IP addr>"), it may
- take a long while to time out. I personally have had to contact my ISP
- and ask them to delete a stale entry in order to restore a system to
+ your ISPs router has a stale cache entry (as seen using tcpdump
+ -nei <external interface> host <IP addr>), it
+ may take a long while to time out. I personally have had to contact my
+ ISP and ask them to delete a stale entry in order to restore a system to
working order after changing my proxy ARP settings.
@@ -3395,7 +3398,7 @@
a subnet that is smaller than the subnet of your internet interface. See
the Proxy
ARP Subnet Mini HOWTO for details. In this case you will want to
- place "Yes" in the HAVEROUTE column.
+ place Yes in the HAVEROUTE column.
@@ -3578,21 +3581,22 @@
disposition). To use LOGFORMAT with fireparse, set it as:
- LOGFORMAT="fp=%s:%d a=%s "
+ LOGFORMAT=fp=%s:%d a=%s If the LOGFORMAT value contains the substring '%d'
then the logging rule number is calculated and formatted in that
position; if that substring is not included then the rule number is
not included. If not supplied or supplied as empty
- (LOGFORMAT="") then "Shorewall:%s:%s:" is assumed.
+ (LOGFORMAT="") then Shorewall:%s:%s: is
+ assumed.
/sbin/shorewall uses the leading part of the LOGFORMAT
string (up to but not including the first '%') to find log
messages in the 'show log', 'status' and
'hits' commands. This part should not be omitted (the
- LOGFORMAT should not begin with "%") and the leading part
- should be sufficiently unique for /sbin/shorewall to identify
+ LOGFORMAT should not begin with %) and the leading
+ part should be sufficiently unique for /sbin/shorewall to identify
Shorewall messages.
@@ -3626,8 +3630,8 @@
that chain rather than in the PREROUTING chain. This permits you to
mark inbound traffic based on its destination address when SNAT or
Masquerading are in use. To determine if your kernel has a FORWARD
- chain in the mangle table, use the "/sbin/shorewall show
- mangle" command; if a FORWARD chain is displayed then your
+ chain in the mangle table, use the /sbin/shorewall show
+ mangle command; if a FORWARD chain is displayed then your
kernel will support this option. If this option is not specified or
if it is given the empty value (e.g.,
MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is
@@ -3707,12 +3711,12 @@
NEWNOTSYN
- (Added in Version 1.3.8) - When set to "Yes" or
- "yes", Shorewall will filter TCP packets that are not part
- of an established connention and that are not SYN packets (SYN flag
- on - ACK flag off). If set to "No", Shorewall will silently
- drop such packets. If not set or set to the empty value (e.g.,
- "NEWNOTSYN="), NEWNOTSYN=No is assumed.
+ (Added in Version 1.3.8) - When set to Yes or
+ yes, Shorewall will filter TCP packets that are not
+ part of an established connention and that are not SYN packets (SYN
+ flag on - ACK flag off). If set to No, Shorewall will
+ silently drop such packets. If not set or set to the empty value
+ (e.g., NEWNOTSYN=), NEWNOTSYN=No is assumed.If you have a HA setup with failover to another firewall, you
should have NEWNOTSYN=Yes on both firewalls. You should also select
@@ -3742,13 +3746,14 @@
DETECT_DNAT_ADDRS
- (Added in Version 1.3.4) - If set to "Yes" or
- "yes", Shorewall will detect the first IP address of the
- interface to the source zone and will include this address in DNAT
- rules as the original destination IP address. If set to "No"
- or "no", Shorewall will not detect this address and any
- destination IP address will match the DNAT rule. If not specified or
- empty, "DETECT_DNAT_ADDRS=Yes" is assumed.
+ (Added in Version 1.3.4) - If set to Yes or
+ yes, Shorewall will detect the first IP address of
+ the interface to the source zone and will include this address in
+ DNAT rules as the original destination IP address. If set to
+ No or no, Shorewall will not detect
+ this address and any destination IP address will match the DNAT
+ rule. If not specified or empty, DETECT_DNAT_ADDRS=Yes
+ is assumed.
@@ -3761,9 +3766,9 @@
now automatically detected by Shorewall
- If set to "Yes" or "yes", Shorewall will use
- the Netfilter multiport facility. In order to use this facility,
- your kernel must have multiport support
+ If set to Yes or yes, Shorewall
+ will use the Netfilter multiport facility. In order to use this
+ facility, your kernel must have multiport support
(CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall
will generate a single rule from each record in the
/etc/shorewall/rules file that meets these criteria:
@@ -3787,11 +3792,12 @@
NAT_BEFORE_RULES
- If set to "No" or "no", port forwarding rules
- can override the contents of the file. If set
- to "Yes" or "yes", port forwarding rules cannot
- override one-to-one NAT. If not set or set to an empty value,
- "Yes" is assumed.
+ If set to No or no, port
+ forwarding rules can override the contents of the file. If set to Yes or
+ yes, port forwarding rules cannot override one-to-one
+ NAT. If not set or set to an empty value, Yes is
+ assumed.
@@ -3800,7 +3806,8 @@
This parameter specifies the name of the firewall zone. If not
- set or if set to an empty string, the value "fw" is assumed.
+ set or if set to an empty string, the value fw is
+ assumed.
@@ -3869,10 +3876,10 @@
This parameter tells the /sbin/shorewall program where to look
- for Shorewall messages when processing the "show log",
- "monitor", "status" and "hits" commands. If
- not assigned or if assigned an empty value, /var/log/messages is
- assumed.
+ for Shorewall messages when processing the show log,
+ monitor, status and hits
+ commands. If not assigned or if assigned an empty value,
+ /var/log/messages is assumed.
@@ -3898,9 +3905,10 @@
Masquerading
- If the parameter has no value or has a value of "Yes"
- or "yes" then NAT is enabled. If the parameter has a value
- of "no" or "No" then NAT is disabled.
+ If the parameter has no value or has a value of
+ Yes or yes then NAT is enabled. If the
+ parameter has a value of no or No then
+ NAT is disabled.
@@ -3914,11 +3922,11 @@
This parameter determines if packet mangling is enabled. If
- the parameter has no value or has a value of "Yes" or
- "yes" than packet mangling is enabled. If the parameter has
- a value of "no" or "No" then packet mangling is
- disabled. If packet mangling is disabled, the /etc/shorewall/tos
- file is ignored.
+ the parameter has no value or has a value of Yes or
+ yes than packet mangling is enabled. If the parameter
+ has a value of no or No then packet
+ mangling is disabled. If packet mangling is disabled, the
+ /etc/shorewall/tos file is ignored.
@@ -3968,10 +3976,10 @@
This parameter determines whether Shorewall automatically adds
the external address(es) in .
- If the variable is set to "Yes" or "yes" then
- Shorewall automatically adds these aliases. If it is set to
- "No" or "no", you must add these aliases yourself
- using your distribution's network configuration tools.
+ If the variable is set to Yes or yes
+ then Shorewall automatically adds these aliases. If it is set to
+ No or no, you must add these aliases
+ yourself using your distribution's network configuration tools.
Shorewall versions before 1.4.6 can only add addresses to
@@ -3989,10 +3997,10 @@
This parameter determines whether Shorewall automatically adds
the SNAT ADDRESS in . If
- the variable is set to "Yes" or "yes" then Shorewall
- automatically adds these addresses. If it is set to "No" or
- "no", you must add these addresses yourself using your
- distribution's network configuration tools.
+ the variable is set to Yes or yes then
+ Shorewall automatically adds these addresses. If it is set to
+ No or no, you must add these addresses
+ yourself using your distribution's network configuration tools.Shorewall versions before 1.4.6 can only add addresses to
@@ -4049,9 +4057,9 @@
This parameter enables the TCP Clamp MSS to PMTU feature of
Netfilter and is usually required when your internet connection is
- through PPPoE or PPTP. If set to "Yes" or "yes", the
- feature is enabled. If left blank or set to "No" or
- "no", the feature is not enabled.
+ through PPPoE or PPTP. If set to Yes or
+ yes, the feature is enabled. If left blank or set to
+ No or no, the feature is not enabled.This option requires CONFIG_IP_NF_TARGET_TCPMSS ROUTE_FILTER
- If this parameter is given the value "Yes" or
- "yes" then route filtering (anti-spoofing) is enabled on all
- network interfaces. The default value is "no".
+ If this parameter is given the value Yes or
+ yes then route filtering (anti-spoofing) is enabled
+ on all network interfaces. The default value is no.
@@ -4082,7 +4090,7 @@
linkend="Conf" /> above).The file that is released with Shorewall calls the Shorewall
- function "loadmodule" for the set of modules that I load.
+ function loadmodule for the set of modules that I load.
The loadmodule function is called as follows:
@@ -4096,8 +4104,8 @@
<modulename>
- is the name of the modules without the trailing ".o"
- (example ip_conntrack).
+ is the name of the modules without the trailing
+ .o (example ip_conntrack).
@@ -4112,7 +4120,7 @@
The function determines if the module named by <modulename>
is already loaded and if not then the function determines if the
- ".o" file corresponding to the module exists in the
+ .o file corresponding to the module exists in the
moduledirectory; if so, then the following command is
executed:
@@ -4120,7 +4128,7 @@
<module parameters>
If the file doesn't exist, the function determines of the
- ".o.gz" file corresponding to the module exists in the
+ .o.gz file corresponding to the module exists in the
moduledirectory. If it does, the function assumes
that the running configuration supports compressed modules and execute the
following command:
@@ -4145,12 +4153,12 @@
The source zone. May be qualified by following the zone name
- with a colon (":") and either an IP address, an IP subnet, a
- MAC address in
+ with a colon (:) and either an IP address, an IP
+ subnet, a MAC address in
Shorewall Format or the name of an interface. This column
may also contain the name of the firewall zone to indicate packets
- originating on the firewall itself or "all" to indicate any
- source.
+ originating on the firewall itself or all to indicate
+ any source.
@@ -4159,10 +4167,10 @@
The destination zone. May be qualified by following the zone
- name with a colon (":") and either an IP address or an IP
- subnet. Because packets are marked prior to routing, you may not
+ name with a colon (:) and either an IP address or an
+ IP subnet. Because packets are marked prior to routing, you may not
specify the name of an interface. This column may also contain
- "all" to indicate any destination.
+ all to indicate any destination.
@@ -4180,7 +4188,7 @@
The source port or a port range. For all ports, place a hyphen
- ("-") in this column.
+ (-) in this column.
@@ -4189,7 +4197,7 @@
The destination port or a port range. To indicate all ports,
- place a hyphen ("-") in this column.
+ place a hyphen (-) in this column.
@@ -4379,7 +4387,7 @@
(from /etc/services). If present, only packets destined for the
specified protocol and one of the listed ports are blocked. When the
PROTOCOL is icmp, the PORTS column contains a comma-separated list
- of ICMP type numbers or names (see "iptables -h icmp").
+ of ICMP type numbers or names (see iptables -h icmp).
@@ -4469,7 +4477,7 @@
A comma-separated list of IP/Subnet addresses. If not supplied
- or supplied as "-" then 0.0.0.0/0 is assumed.
+ or supplied as - then 0.0.0.0/0 is assumed.