diff --git a/Samples/one-interface/shorewall.conf b/Samples/one-interface/shorewall.conf
index 961892a9c..1f6622689 100644
--- a/Samples/one-interface/shorewall.conf
+++ b/Samples/one-interface/shorewall.conf
@@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/Samples/three-interfaces/shorewall.conf b/Samples/three-interfaces/shorewall.conf
index 6aa1bb45a..416a8cd96 100644
--- a/Samples/three-interfaces/shorewall.conf
+++ b/Samples/three-interfaces/shorewall.conf
@@ -201,7 +201,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/Samples/two-interfaces/shorewall.conf b/Samples/two-interfaces/shorewall.conf
index 9ec4646f9..a67fa4dcf 100644
--- a/Samples/two-interfaces/shorewall.conf
+++ b/Samples/two-interfaces/shorewall.conf
@@ -208,7 +208,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/Samples6/Universal/shorewall6.conf b/Samples6/Universal/shorewall6.conf
index bc426d178..00918626f 100644
--- a/Samples6/Universal/shorewall6.conf
+++ b/Samples6/Universal/shorewall6.conf
@@ -153,7 +153,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=Yes
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=Yes
 
diff --git a/Samples6/one-interface/shorewall6.conf b/Samples6/one-interface/shorewall6.conf
index 462f02533..8723366fc 100644
--- a/Samples6/one-interface/shorewall6.conf
+++ b/Samples6/one-interface/shorewall6.conf
@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/Samples6/three-interfaces/shorewall6.conf b/Samples6/three-interfaces/shorewall6.conf
index 4b763d7d1..bd64d6007 100644
--- a/Samples6/three-interfaces/shorewall6.conf
+++ b/Samples6/three-interfaces/shorewall6.conf
@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/Samples6/two-interfaces/shorewall6.conf b/Samples6/two-interfaces/shorewall6.conf
index 25f807bb0..04a862281 100644
--- a/Samples6/two-interfaces/shorewall6.conf
+++ b/Samples6/two-interfaces/shorewall6.conf
@@ -155,7 +155,7 @@ LOAD_HELPERS_ONLY=Yes
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/Shorewall/configfiles/shorewall.conf b/Shorewall/configfiles/shorewall.conf
index 83ffaf765..aad11f48c 100644
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -190,7 +190,7 @@ LOAD_HELPERS_ONLY=No
 
 REQUIRE_INTERFACE=No
 
-FORWARD_CLEAR_MARK=Yes
+FORWARD_CLEAR_MARK=
 
 COMPLETE=No
 
diff --git a/docs/ProxyARP.xml b/docs/ProxyARP.xml
index c84e1b88c..798c056d6 100644
--- a/docs/ProxyARP.xml
+++ b/docs/ProxyARP.xml
@@ -34,46 +34,50 @@
     </legalnotice>
   </articleinfo>
 
-  <para>Proxy ARP (RFC 1027) is a way to make a machine physically located on
-  one network appear to be logically part of a different physical network
-  connected to the same router/firewall. Typically it allows us to hide a
-  machine with a public IP address on a private network behind a router, and
-  still have the machine appear to be on the public network "in front of" the
-  router. The router "proxys" ARP requests and all network traffic to and from
-  the hidden machine to make this fiction possible.</para>
+  <section>
+    <title>Overview</title>
 
-  <para>Consider a router with two interface cards, one connected to a public
-  network PUBNET and one connected to a private network PRIVNET. We want to
-  hide a server machine on the PRIVNET network but have it accessible from the
-  PUBNET network. The IP address of the server machine lies in the PUBNET
-  network, even though we are placing the machine on the PRIVNET network
-  behind the router.</para>
+    <para>Proxy ARP (RFC 1027) is a way to make a machine physically located
+    on one network appear to be logically part of a different physical network
+    connected to the same router/firewall. Typically it allows us to hide a
+    machine with a public IP address on a private network behind a router, and
+    still have the machine appear to be on the public network "in front of"
+    the router. The router "proxys" ARP requests and all network traffic to
+    and from the hidden machine to make this fiction possible.</para>
 
-  <para>By enabling proxy ARP on the router, any machine on the PUBNET network
-  that issues an ARP "who has" request for the server's MAC address will get a
-  proxy ARP reply from the router containing the router's MAC address. This
-  tells machines on the PUBNET network that they should be sending packets
-  destined for the server via the router. The router forwards the packets from
-  the machines on the PUBNET network to the server on the PRIVNET
-  network.</para>
+    <para>Consider a router with two interface cards, one connected to a
+    public network PUBNET and one connected to a private network PRIVNET. We
+    want to hide a server machine on the PRIVNET network but have it
+    accessible from the PUBNET network. The IP address of the server machine
+    lies in the PUBNET network, even though we are placing the machine on the
+    PRIVNET network behind the router.</para>
 
-  <para>Similarly, when the server on the PRIVNET network issues a "who has"
-  request for any machines on the PUBNET network, the router provides its own
-  MAC address via proxy ARP. This tells the server to send packets for
-  machines on the PUBNET network via the router. The router forwards the
-  packets from the server on the PRIVNET network to the machines on the PUBNET
-  network.</para>
+    <para>By enabling proxy ARP on the router, any machine on the PUBNET
+    network that issues an ARP "who has" request for the server's MAC address
+    will get a proxy ARP reply from the router containing the router's MAC
+    address. This tells machines on the PUBNET network that they should be
+    sending packets destined for the server via the router. The router
+    forwards the packets from the machines on the PUBNET network to the server
+    on the PRIVNET network.</para>
 
-  <para>The proxy ARP provided by the router allows the server on the
-  PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
-  pass ARP requests and other network packets in both directions between the
-  server machine and the PUBNET network, making the server machine appear to
-  be connected to the PUBNET network even though it is on the PRIVNET network
-  hidden behind the router.</para>
+    <para>Similarly, when the server on the PRIVNET network issues a "who has"
+    request for any machines on the PUBNET network, the router provides its
+    own MAC address via proxy ARP. This tells the server to send packets for
+    machines on the PUBNET network via the router. The router forwards the
+    packets from the server on the PRIVNET network to the machines on the
+    PUBNET network.</para>
 
-  <para>Before you try to use this technique, I strongly recommend that you
-  read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
-  Guide</ulink>.</para>
+    <para>The proxy ARP provided by the router allows the server on the
+    PRIVNETnetwork to appear to be on the PUBNET network. It lets the router
+    pass ARP requests and other network packets in both directions between the
+    server machine and the PUBNET network, making the server machine appear to
+    be connected to the PUBNET network even though it is on the PRIVNET
+    network hidden behind the router.</para>
+
+    <para>Before you try to use this technique, I strongly recommend that you
+    read the <ulink url="shorewall_setup_guide.htm">Shorewall Setup
+    Guide</ulink>.</para>
+  </section>
 
   <section id="Example">
     <title>Example</title>