Large cleanup patch from Tuomo Soini

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2449 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/accounting

@@ -29,7 +29,7 @@
 #					  a jump to that chain. If :COUNT
 #					  is including, a counting rule
 #					  matching this record will be
-#				          added to <chain>
+#					  added to <chain>
 #
 #	CHAIN	      - The name of a chain. If specified as "-" the
 #			'accounting' chain is assumed. This is the chain
@@ -49,10 +49,11 @@
 #	PROTOCOL	A protocol name (from /etc/protocols), a protocol
 #			number, or "ipp2p"
 #
-#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p" then
+#	DEST PORT	Destination Port number. If the PROTOCOL is "ipp2p"
-#			this column must contain an ipp2p option ("iptables -m 
+#			then this column must contain an ipp2p option
-#			ipp2p --help") without the leading "--". If no option
+#			("iptables -m ipp2p --help") without the leading
-#			is given in this column, "ipp2p" is assumed.
+#			"--". If no option is given in this column, "ipp2p"
+#			is assumed.
 #
 #			Service name from /etc/services or port number. May
 #			only be specified if the protocol is TCP or UDP (6
@@ -69,7 +70,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>][+<program name>]
+#	[!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@@ -81,17 +82,17 @@
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
-#				!:kids  #program must not be run by a member
+#				!:kids	#program must not be run by a member
 #					#of the 'kids' group
-#				+upnpd  #program named upnpd
+#				+upnpd	#program named upnpd
 #
 #	In all of the above columns except ACTION and CHAIN, the values "-",
 #	"any" and "all" may be used as wildcards
 #
-#	Please see http://shorewall.net/Accounting.html for examples and 
+# Please see http://shorewall.net/Accounting.html for examples and
-#	additional information about how to use this file.
+# additional information about how to use this file.
 #
-#ACTION	CHAIN 	SOURCE		DESTINATION	PROTO	DEST	   	SOURCE	USER/
+#####################################################################################
+#ACTION	CHAIN	SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #							PORT		PORT	GROUP
-#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/action.Drop

@@ -1,21 +1,24 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/action.Drop
+# Shorewall version 2.6 - Drop Action
+#
+# /usr/share/shorewall/action.Drop
 #
 #	The default DROP common rules
 #
-# This action is invoked before a DROP policy is enforced. The purpose of the action
+#	This action is invoked before a DROP policy is enforced. The purpose
-# is:
+#	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is DROP.
+#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   Otherwise, you may experience problems establishing connections with
+#	   DROP. Otherwise, you may experience problems establishing
-#	   servers that use auth.
+#	   connections with servers that use auth.
-#       c) Ensure that certain ICMP packets that are necessary for successful 
+#	c) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-######################################################################################
+#
-#TARGET  	SOURCE		DEST      	PROTO	DPORT	SPORT
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
 # Reject 'auth'
 #
@@ -27,10 +30,10 @@ dropBcast
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-		-		icmp
+AllowICMPs	-	-	icmp
 #
-# Drop packets that in the INVALID state -- these are usually ICMP packets and just
+# Drop packets that in the INVALID state -- these are usually ICMP packets
-# confuse people when they appear in the log.
+# and just confuse people when they appear in the log.
 #
 dropInvalid
 #
@@ -41,9 +44,10 @@ DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-		-		tcp
+dropNotSyn	-	-	tcp
 #
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/action.Reject

@@ -1,33 +1,37 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/action.Reject
+# Shorewall version 2.6 - Reject Action
+#
+# /usr/share/shorewall/action.Reject
 #
 #	The default REJECT action common rules
 #
-# This action is invoked before a REJECT policy is enforced. The purpose of the action
+#	This action is invoked before a REJECT policy is enforced. The purpose
-# is:
+#	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
-#       b) Ensure that certain ICMP packets that are necessary for successful 
+#	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
-# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!!!!
+# IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
-######################################################################################
+###############################################################################
-#TARGET  	SOURCE		DEST      	PROTO
+#TARGET		SOURCE	DEST	PROTO
 #
 # Don't log 'auth' REJECT
 #
 Auth/REJECT
 #
-# Drop Broadcasts so they don't clutter up the log (broadcasts must *not* be rejected).
+# Drop Broadcasts so they don't clutter up the log
+# (broadcasts must *not* be rejected).
 #
 dropBcast
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs	-		-		icmp
+AllowICMPs	-	-	icmp
 #
-# Drop packets that in the INVALID state -- these are usually ICMP packets and just
+# Drop packets that in the INVALID state -- these are usually ICMP packets
-# confuse people when they appear in the log (these ICMPs cannot be rejected).
+# and just confuse people when they appear in the log (these ICMPs cannot be
+# rejected).
 #
 dropInvalid
 #
@@ -38,9 +42,10 @@ DropUPnP
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-dropNotSyn	-		-		tcp
+dropNotSyn	-	-	tcp
 #
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up the log.
+# Drop late-arriving DNS replies. These are just a nuisance and clutter up
+# the log.
 #
 DropDNSrep
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/action.template

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /etc/shorewall/action.template
+# Shorewall version 2.6 - Template Action
+#
+# /etc/shorewall/action.template
 #
 #	This file is a template for files with names of the form
 #	/etc/shorewall/action.<action-name> where <action> is an
@@ -20,20 +22,21 @@
 #	TARGET		ACCEPT, DROP, REJECT, LOG, QUEUE or a
 #			previously-defined <action>
 #
-#				ACCEPT   -- allow the connection request
+#				ACCEPT	 -- allow the connection request
-#				DROP     -- ignore the request
+#				DROP	 -- ignore the request
-#				REJECT   -- disallow the request and return an
+#				REJECT	 -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
-#				LOG      -- Simply log the packet and continue.
+#				LOG	 -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as p2pwall.
 #				CONTINUE -- Discontinue processing this action
 #					    and return to the point where the
 #					    action was invoked.
 #				<action> -- An <action> defined in
-#					    /etc/shorewall/actions. The <action>
+#					    /etc/shorewall/actions.
-#					    must appear in that file BEFORE the
+#					    The <action> must appear in that
-#					    one being defined in this file.
+#					    file BEFORE the one being defined
+#					    in this file.
 #
 #			The TARGET may optionally be followed
 #			by ":" and a syslog log level (e.g, REJECT:info or
@@ -72,21 +75,21 @@
 #						kernel and iptables must have
 #						iprange match support.
 #
-#			+remote                 The name of an ipset prefaced
+#			+remote			The name of an ipset prefaced
-#					        by "+". Your kernel and
+#						by "+". Your kernel and
 #						iptables must have set match
 #						support
 #
-#			+remote[4]              The name of the ipset may
+#			+remote[4]		The name of the ipset may
-#                                               followed by a number of
+#						followed by a number of
-#                                               levels of ipset bindings
+#						levels of ipset bindings
-#                                               enclosed in square brackets.
+#						enclosed in square brackets.
 #
 #			192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2.
-#			~00-A0-C9-15-39-78      Host with
+#			~00-A0-C9-15-39-78	Host with
-#                                               MAC address 00:A0:C9:15:39:78.
+#						MAC address 00:A0:C9:15:39:78.
 #
 #			Alternatively, clients may be specified by interface
 #			name. For example, eth1 specifies a
@@ -95,14 +98,15 @@
 #			another colon (":") and an IP/MAC/subnet address
 #			as described above (e.g., eth1:192.168.1.5).
 #
-#	DEST		Location of destination host. Same as above with the exception that
+#	DEST		Location of destination host. Same as above with
-#			MAC addresses are not allowed and that you cannot specify
+#			the exception that MAC addresses are not allowed and
-#                       an ipset name in both the SOURCE and DEST columns.
+#			that you cannot specify an ipset name in both the
+#			SOURCE and DEST columns.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
-#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
@@ -157,7 +161,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>][+<program name>]
+#	[!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@@ -169,11 +173,11 @@
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
-#				!:kids  #program must not be run by a member
+#				!:kids	#program must not be run by a member
 #					#of the 'kids' group
-#				+upnpd  #program named upnpd
+#				+upnpd	#program named upnpd
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE		USER/
+#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/actions

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /etc/shorewall/actions
+# Shorewall version 2.6 - Actions File
+#
+# /etc/shorewall/actions
 #
 #	This file allows you to define new ACTIONS for use in rules
 #	(/etc/shorewall/rules). You define the iptables rules to
@@ -24,9 +26,8 @@
 #	If you specify ":DROP", ":REJECT" or ":ACCEPT" on a line by
 #	itself, the associated policy will have no common action.
 #
-#	Please see http://shorewall.net/Actions.html for additional
+# Please see http://shorewall.net/Actions.html for additional information.
-#	information.
 #
+###############################################################################
 #ACTION
-
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/actions.std

@@ -1,27 +1,28 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/actions.std
+# Shorewall version 2.6 - Actions.std File
+#
+# /usr/share/shorewall/actions.std
 #
 #	Please see http://shorewall.net/Actions.html for additional
 #	information.
 #
 # Builtin Actions are:
 #
-#    allowBcast		#Silently Allow Broadcast/multicast
+#    allowBcast		# Silently Allow Broadcast/multicast
-#    dropBcast          #Silently Drop Broadcast/multicast
+#    dropBcast		# Silently Drop Broadcast/multicast
-#    dropNotSyn         #Silently Drop Non-syn TCP packets
+#    dropNotSyn		# Silently Drop Non-syn TCP packets
-#    rejNotSyn          #Silently Reject Non-syn TCP packets
+#    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	#Silently Drop packets that are in the INVALID
+#    dropInvalid	# Silently Drop packets that are in the INVALID
-#                       #conntrack state.
+#			# conntrack state.
-#    allowInvalid	#Accept packets that are in the INVALID
+#    allowInvalid	# Accept packets that are in the INVALID
-#			#conntrack state.
+#			# conntrack state.
-#    allowoutUPnP       #Allow traffic from local command 'upnpd'
+#    allowoutUPnP	# Allow traffic from local command 'upnpd'
-#    allowinUPnP        #Allow UPnP inbound (to firewall) traffic
+#    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
-#    forwardUPnP	#Allow traffic that upnpd has redirected from
+#    forwardUPnP	# Allow traffic that upnpd has redirected from
-#			#'upnp' interfaces.
+#			# 'upnp' interfaces.
 #
+###############################################################################
 #ACTION
-
+Drop:DROP		# Common Action for DROP policy
-Drop:DROP	   #Common Action for DROP policy
+Reject:REJECT		# Common Action for REJECT policy
-Reject:REJECT      #Common Action for REJECT policy
-
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/blacklist

@@ -1,21 +1,22 @@
 #
-# Shorewall 2.6 -- Blacklist File
+# Shorewall version 2.6 - Blacklist File
 #
 # /etc/shorewall/blacklist
 #
-# This file contains a list of IP addresses, MAC addresses and/or subnetworks.
+#	This file contains a list of IP addresses, MAC addresses and/or
+#	subnetworks.
 #
 # Columns are:
 #
-#	ADDRESS/SUBNET 	- Host address, subnetwork, MAC address, IP address
+#	ADDRESS/SUBNET	- Host address, subnetwork, MAC address, IP address
 #			  range (if your kernel and iptables contain iprange
 #			  match support) or ipset name prefaced by "+" (if
 #			  your kernel supports ipset match).
 #
-# 			  MAC addresses must be prefixed with "~" and use "-"
+#			  MAC addresses must be prefixed with "~" and use "-"
 #			  as a separator.
 #
-# 			  Example: ~00-A0-C9-15-39-78
+#			  Example: ~00-A0-C9-15-39-78
 #
 #	PROTOCOL	- Optional. If specified, must be a protocol number
 #			  or a protocol name from /etc/protocols.
@@ -24,27 +25,28 @@
 #			  is TCP (6) or UDP (17). A comma-separated list
 #			  of port numbers or service names from /etc/services.
 #
-# When a packet arrives on an interface that has the 'blacklist' option
+#	When a packet arrives on an interface that has the 'blacklist' option
-# specified in /etc/shorewall/interfaces, its source IP address is checked
+#	specified in /etc/shorewall/interfaces, its source IP address is
-# against this file and disposed of according to the BLACKLIST_DISPOSITION and
+#	checked against this file and disposed of according to the
-# BLACKLIST_LOGLEVEL variables in /etc/shorewall/shorewall.conf
+#	BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL variables in
+#	/etc/shorewall/shorewall.conf
 #
-# If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
+#	If PROTOCOL or PROTOCOL and PORTS are supplied, only packets matching
-# the protocol (and one of the ports if PORTS supplied) are blocked.
+#	the protocol (and one of the ports if PORTS supplied) are blocked.
 #
-# Example:
+#	Example:
 #
-# To block DNS queries from address 192.0.2.126:
+#	To block DNS queries from address 192.0.2.126:
 #
-# ADDRESS/SUBNET	PROTOCOL	PORT
+#	ADDRESS/SUBNET		PROTOCOL	PORT
-# 192.0.2.126		udp		53
+#	192.0.2.126		udp		53
 #
-# Example:
+#	Example:
 #
-# To block DNS queries from addresses in the ipset 'dnsblack':
+#	To block DNS queries from addresses in the ipset 'dnsblack':
 #
-# ADDRESS/SUBNET	PROTOCOL	PORT
+#	ADDRESS/SUBNET		PROTOCOL	PORT
-# +dnsblack		udp		53
+#	+dnsblack		udp		53
 #
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
@@ -52,5 +54,3 @@
 ###############################################################################
 #ADDRESS/SUBNET		PROTOCOL	PORT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
-
-

Shorewall/continue

@@ -1,8 +1,14 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/continue
 #
-# Add commands below that you want to be executed after shorewall has
+# Shorewall version 2.6 - Continue File
-# cleared any existing Netfilter rules and has enabled existing connections.
 #
-# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+#  /etc/shorewall/continue
 #
+#	Add commands below that you want to be executed after shorewall has
+#	cleared any existing Netfilter rules and has enabled existing
+#	connections.
+#
+# For additional information, see
+# http://shorewall.net/shorewall_extension_scripts.htm
+#
+###############################################################################
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/ecn

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 - /etc/shorewall/ecn
+# Shorewall version 2.6 - Ecn File
+#
+# /etc/shorewall/ecn
 #
 #	Use this file to list the destinations for which you want to
 #	disable ECN.
 #
 #	This feature requires kernel 2.4.20 or later. If you run 2.4.20,
-#       you also need the patch found at http://www.shorewall.net/ecn/patch.
+#	you also need the patch found at http://www.shorewall.net/ecn/patch.
 #	That patch is included in kernels 2.4.21 and later.
 #
 #	INTERFACE	- Interface through which host(s) communicate with
@@ -17,6 +19,7 @@
 #			  are also permitted.
 #
 # For additional information, see http://shorewall.net/Documentation.htm#ECN
-##############################################################################
+#
+###############################################################################
 #INTERFACE	HOST(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/hosts

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 - /etc/shorewall/hosts
+# Shorewall version 2.6 - Hosts file
+#
+# /etc/shorewall/hosts
 #
 #	THE ONLY TIME YOU NEED THIS FILE IS WHERE YOU HAVE MORE THAN
 #	ONE ZONE CONNECTED THROUGH A SINGLE INTERFACE.
@@ -37,7 +39,8 @@
 #			   be defined in /etc/shorewall/interfaces and may
 #			   optionally followed by a colon (":") and a
 #			   host or network IP or a range.
-#			   See http://www.shorewall.net/Bridge.html for details.
+#			   See http://www.shorewall.net/Bridge.html
+#			   for details.
 #			e) The name of an ipset (preceded by "+").
 #
 #		  Examples:
@@ -60,11 +63,12 @@
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #
-#			routeback    - Shorewall should set up the infrastructure
+#			routeback    - Shorewall should set up the
-#				       to pass packets from this/these
+#				       infrastructure to pass packets
-#				       address(es) back to themselves. This is
+#				       from this/these address(es) back
-#				       necessary if hosts in this group use the
+#				       to themselves. This is necessary if
-#				       services of a transparent proxy that is
+#				       hosts in this group use the services
+#				       of a transparent proxy that is
 #				       a member of the group or if DNAT is used
 #				       to send requests originating from this
 #				       group to a server in the group.
@@ -120,14 +124,16 @@
 #				       This option has no effect if
 #				       NEWNOTSYN=Yes.
 #
-#			ipsec        - The zone is accessed via a
+#			ipsec	     - The zone is accessed via a
 #				       kernel 2.6 ipsec SA. Note that if the
 #				       zone named in the ZONE column is
 #				       specified as an IPSEC zone in the
-#				       /etc/shorewall/zones file then you do NOT
+#				       /etc/shorewall/zones file then you
-#				       need to specify the 'ipsec' option here.
+#				       do NOT need to specify the 'ipsec'
+#				       option here.
 #
 # For additional information, see http://shorewall.net/Documentation.htm#Hosts
 #
-#ZONE		HOST(S)				OPTIONS
+###############################################################################
+#ZONE	HOST(S)					OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE

Shorewall/init

@@ -1,8 +1,13 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/init
 #
-# Add commands below that you want to be executed at the beginning of
+# Shorewall version 2.4 - Init File
-# a "shorewall start" or "shorewall restart" command.
 #
-# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+# /etc/shorewall/init
 #
+#	Add commands below that you want to be executed at the beginning of
+#	a "shorewall start" or "shorewall restart" command.
+#
+# For additional information, see
+# http://shorewall.net/shorewall_extension_scripts.htm
+#
+###############################################################################
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/initdone

@@ -1,9 +1,14 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/initdone
 #
-# Add commands below that you want to be executed during 
+# Shorewall version 2.6 - Initdone File
-# "shorewall start" or "shorewall restart" commands at the point where
-# Shorewall has not yet added any perminent rules to the builtin chains.
 #
-# For additional information, see http://shorewall.net/shorewall_extension_scripts.htm
+# /etc/shorewall/initdone
 #
+#	Add commands below that you want to be executed during
+#	"shorewall start" or "shorewall restart" commands at the point where
+#	Shorewall has not yet added any perminent rules to the builtin chains.
+#
+# For additional information, see
+# http://shorewall.net/shorewall_extension_scripts.htm
+#
+###############################################################################
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/interfaces

@@ -1,5 +1,5 @@
 #
-# Shorewall 2.6 -- Interfaces File
+# Shorewall version 2.6 - Interfaces File
 #
 # /etc/shorewall/interfaces
 #
@@ -49,14 +49,14 @@
 #			dhcp	     - Specify this option when any of
 #				       the following are true:
 #				       1. the interface gets its IP address
-#				          via DHCP 
+#					  via DHCP
 #				       2. the interface is used by
-#                                         a DHCP server running on the firewall
+#					  a DHCP server running on the firewall
 #				       3. you have a static IP but are on a LAN
-#				          segment with lots of Laptop DHCP
+#					  segment with lots of Laptop DHCP
 #					  clients.
 #				       4. the interface is a bridge with
-#				          a DHCP server on one port and DHCP
+#					  a DHCP server on one port and DHCP
 #					  clients on another port.
 #
 #			norfc1918    - This interface should not receive
@@ -71,7 +71,7 @@
 #
 #			routefilter  - turn on kernel route filtering for this
 #				       interface (anti-spoofing measure). This
-#                                      option can also be enabled globally in
+#				       option can also be enabled globally in
 #				       the /etc/shorewall/shorewall.conf file.
 #
 #			logmartians  - turn on kernel martian logging (logging
@@ -118,24 +118,25 @@
 #				       from this interface, even if
 #				       NEWNOTSYN=No has been specified in
 #				       /etc/shorewall/shorewall.conf. In other
-#				       words, packets coming in on this interface
+#				       words, packets coming in on this
-#				       are processed as if NEWNOTSYN=Yes had been
+#				       interface are processed as if
-#				       specified in /etc/shorewall/shorewall.conf.
+#				       NEWNOTSYN=Yes had been specified in
+#					/etc/shorewall/shorewall.conf.
 #
 #				       This option has no effect if
 #				       NEWNOTSYN=Yes.
 #
 #				       It is the opinion of the author that
-#			  	       NEWNOTSYN=No creates more problems than
+#				       NEWNOTSYN=No creates more problems than
 #				       it solves and I recommend against using
 #				       that setting in shorewall.conf (hence
 #				       making the use of the 'newnotsyn'
 #				       interface option unnecessary).
 #
 #			routeback    - If specified, indicates that Shorewall
-#				       should include rules that allow filtering
+#				       should include rules that allow
-#				       traffic arriving on this interface back
+#				       filtering traffic arriving on this
-#				       out that same interface.
+#				       interface back out that same interface.
 #
 #			arp_filter   - If specified, this interface will only
 #				       respond to ARP who-has requests for IP
@@ -143,7 +144,7 @@
 #				       If not specified, the interface can
 #				       respond to ARP who-has requests for
 #				       IP addresses on any of the firewall's
-#                                      interface. The interface must be up
+#				       interface. The interface must be up
 #				       when Shorewall is started.
 #
 #			arp_ignore[=<number>]
@@ -151,31 +152,31 @@
 #				       respond to arp requests based on the
 #				       value of <number>.
 #
-#   				        1 - reply only if the target IP address
+#				       1 - reply only if the target IP address
-#					is local address configured on the
+#				       is local address configured on the
-#					incoming interface
+#				       incoming interface
 #
-#					2 - reply only if the target IP address
+#				       2 - reply only if the target IP address
-#					is local address configured on the
+#				       is local address configured on the
-#					incoming interface and both with the
+#				       incoming interface and both with the
-#					sender's IP address are part from same
+#				       sender's IP address are part from same
-#					subnet on this interface
+#				       subnet on this interface
 #
-#					3 - do not reply for local addresses
+#				       3 - do not reply for local addresses
-#					configured with scope host, only
+#				       configured with scope host, only
-#					resolutions for global and link
+#				       resolutions for global and link
-#					addresses are replied
+#				       addresses are replied
 #
-#					4-7 - reserved
+#				       4-7 - reserved
 #
-#        				8 - do not reply for all local
+#				       8 - do not reply for all local
-#					addresses
+#				       addresses
 #
-#					If no <number> is given then the value
+#				       If no <number> is given then the value
-#					1 is assumed
+#				       1 is assumed
 #
-#					WARNING -- DO NOT SPECIFY arp_ignore
+#				       WARNING -- DO NOT SPECIFY arp_ignore
-#					FOR ANY INTERFACE INVOLVED IN PROXY ARP.
+#				       FOR ANY INTERFACE INVOLVED IN PROXY ARP.
 #
 #			nosmurfs     - Filter packets for smurfs
 #				       (packets with a broadcast
@@ -190,11 +191,11 @@
 #				       in the ZONE column to include only those
 #				       hosts routed through the interface.
 #
-#			upnp         - Incoming requests from this interface may
+#			upnp	     - Incoming requests from this interface
-#				       be remapped via UPNP (upnpd).
+#				       may be remapped via UPNP (upnpd).
 #			
-#		        WARNING: DO NOT SET THE detectnets OPTION ON YOUR
+#			WARNING: DO NOT SET THE detectnets OPTION ON YOUR
-#			         INTERNET INTERFACE.
+#				 INTERNET INTERFACE.
 #
 #			The order in which you list the options is not
 #			significant but the list should have no embedded white
@@ -231,9 +232,9 @@
 #
 #			net	ppp0	-
 #
-# For additional information, see http://shorewall.net/Documentation.htm#Interfaces
+# For additional information, see
-#
+# http://shorewall.net/Documentation.htm#Interfaces
-##############################################################################
-#ZONE	 INTERFACE	BROADCAST	OPTIONS			GATEWAY
 #
+###############################################################################
+#ZONE	INTERFACE	BROADCAST	OPTIONS			GATEWAY
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/ipsec

@@ -4,4 +4,4 @@
 # /etc/shorewall/zones file.
 #
 # See the IPSECFILE option in shorewall.conf for further information.
-
+#

Shorewall/maclist

@@ -1,13 +1,13 @@
 #
-# Shorewall 2.6 - MAC list file
+# Shorewall version 2.6 - Maclist file
+#
+# /etc/shorewall/maclist
 #
 #	This file is used to define the MAC addresses and optionally their
 #	associated IP addresses to be allowed to use the specified interface.
 #	The feature is enabled by using the maclist option in the interfaces
 #	or hosts configuration file.
 #
-# /etc/shorewall/maclist
-#
 # Columns are:
 #
 #	INTERFACE	Network interface to a host. If the interface
@@ -26,6 +26,6 @@
 #
 # For additional information, see http://shorewall.net/MAC_Validation.html
 #
-##############################################################################
+###############################################################################
-#INTERFACE	        MAC			IP ADDRESSES (Optional)
+#INTERFACE		MAC			IP ADDRESSES (Optional)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/macro.AllowICMPs

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.AllowICMPs
+# Shorewall version 2.6 - AllowICMPs Macro
+#
+# /usr/share/shorewall/macro.AllowICMPs
 #
 #	ACCEPT needed ICMP types
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-#
+ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-		-		icmp	fragmentation-needed
+ACCEPT	-	-	icmp	time-exceeded
-ACCEPT	-		-		icmp	time-exceeded
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Amanda

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.Amanda
+# Shorewall version 2.6 - Amanda Macro
+#
+# /usr/share/shorewall/macro.Amanda
 #
 #	This macro handles connections to the AMANDA backup system.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               udp     10080
+PARAM	-	-	udp	10080
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Auth

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Auth
+# Shorewall version 2.6 - Auth Macro
+#
+# /usr/share/shorewall/macro.Auth
 #
 #	This macro handles Auth (identd) traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	113
+PARAM	-	-	tcp	113
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.BitTorrent

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.BitTorrent
+# Shorewall version 2.6 - BitTorrent Macro
+#
+# /usr/share/shorewall/macro.BitTorrent
 #
 #	This macro handles BitTorrent traffic.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               tcp     6881:6889
+PARAM	-	-	tcp	6881:6889
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.CVS

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.CVS
+# Shorewall version 2.6 - CVS Macro
+#
+# /usr/share/shorewall/macro.CVS
 #
 #	This macro handles connections to the CVS pserver.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               tcp	2401
+PARAM	-	-	tcp	2401
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.DNS

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.DNS
+# Shorewall version 2.6 - DNS Macro
+#
+# /usr/share/shorewall/macro.DNS
 #
 #	This macro handles DNS traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               udp	53
+PARAM	-	-	udp	53
-PARAM	 -		-		tcp	53
+PARAM	-	-	tcp	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Distcc

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.Distcc
+# Shorewall version 2.6 - Distoc Macro
+#
+# /usr/share/shorewall/macro.Distcc
 #
 #	This macro handles connections to the Distributed Compiler
 #	service.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	3632
+PARAM	-	-	tcp	3632
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.DropDNSrep

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.DropDNSrep
+# Shorewall version 2.6 - DropDNSrep Macro
+#
+# /usr/share/shorewall/macro.DropDNSrep
 #
 #	This macro silently drops DNS UDP replies
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-DROP	 -	        -               udp	-	53
+DROP	-	-	udp	-	53
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.DropUPnP

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.DropUPnP
+# Shorewall version 2.6 - DropUPnP Macro
+#
+# /usr/share/shorewall/macro.DropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-DROP	 -	        -               udp     1900
+DROP	-	-	udp	1900
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Edonkey

@@ -1,31 +1,35 @@
 #
-# Shorewall macro.Edonkey
+# Shorewall version 2.6 - Edonkey Macro
+#
+# /usr/share/shorewall/macro.Edonkey
 #
 #	This macro handles Edonkey traffic.
 #
-######################################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
-PARAM	 -		-		tcp	4662
-PARAM	 -		-		udp	4665
 #
-# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
+#	http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
-# says to use udp 5737 rather than 4665
+#	says to use udp 5737 rather than 4665.
 #
-# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
+#	http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
-# 4661 TCP (outgoing)
-#    Port, on which a server listens for connection (defined by server). 
-#4665 UDP (outgoing)
-#    used for global server searches and global source queries. This is
-#always Server TCP port (in this case 4661) + 4. 
-#4662 TCP (outgoing and incoming)
-#    Client to client transfers. 
-#4672 UDP (outgoing and incoming)
-#    Extended eMule protocol, Queue Rating, File Reask Ping 
-#4711 TCP
-#    WebServer listening port. 
-#4712 TCP
-#    External Connection port. Used to communicate aMule with other
-#applications such as aMule WebServer or aMuleCMD.
 #
+#	4661 TCP (outgoing) Port, on which a server listens for connection
+#	(defined by server).
+#
+#	4665 UDP (outgoing) used for global server searches and global source
+#	queries. This is always Server TCP port (in this case 4661) + 4.
+#
+#	4662 TCP (outgoing and incoming) Client to client transfers.
+#
+#	4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
+#	Rating, File Reask Ping
+#
+#	4711 TCP WebServer listening port.
+#
+#	4712 TCP External Connection port. Used to communicate aMule with other
+#	applications such as aMule WebServer or aMuleCMD.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	4662
+PARAM	-	-	udp	4665
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.FTP

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.FTP
+# Shorewall version 2.6 - FTP Macro
+#
+# /usr/share/shorewall/macro.FTP
 #
 #	This macro handles FTP traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               tcp	21
+PARAM	-	-	tcp	21
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Gnutella

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.Gnutella
+# Shorewall version 2.6 - Gnutella Macro
+#
+# /usr/share/shorewall/macro.Gnutella
 #
 #	This macro handles gnutella traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	6346
+PARAM	-	-	tcp	6346
-PARAM	 -		-		udp	6346
+PARAM	-	-	udp	6346
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.ICQ

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.ICQ
+# Shorewall version 2.6 - ICQ Macro
+#
+# /usr/share/shorewall/macro.ICQ
 #
 #	This macro handles ICQ traffic.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -              -               tcp     5190
+PARAM	-	-	tcp	5190
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.IMAP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.IMAP
+# Shorewall version 2.6 - IMAP Macro
+#
+# /usr/share/shorewall/macro.IMAP
 #
 #	This macro handles IMAP traffic (secure and insecure):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	143	#Unsecure IMAP	
+PARAM	-	-	tcp	143	# Unsecure IMAP	
-PARAM	 -		-		tcp	993	#Secure IMAP
+PARAM	-	-	tcp	993	# Secure IMAP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.LDAP

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.LDAP
+# Shorewall version 2.6 - LDAP Macro
+#
+# /usr/share/shorewall/macro.LDAP
 #
 #	This macro handles LDAP traffic (secure and insecure)
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               tcp     389
+PARAM	-	-	tcp	389
-PARAM    -              -               tcp     636
+PARAM	-	-	tcp	636
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.MySQL

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.MySQL
+# Shorewall version 2.6 - MySQL Macro
+#
+# /usr/share/shorewall/macro.MySQL
 #
 #	This action macro.handles connections to the MySQL server.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	3306
+PARAM	-	-	tcp	3306
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.NNTP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.NNTP
+# Shorewall version 2.6 NNTP Macro
+#
+# /usr/share/shorewall/macro.NNTP
 #
 #	This macro handles NNTP traffic (Usenet) and encrypted NNTP (NNTPS)
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               tcp	119
+PARAM	-	-	tcp	119
-PARAM	 -		-		tcp	563
+PARAM	-	-	tcp	563
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.NTP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.NTP
+# Shorewall version 2.6 - NTP Macro
+#
+# /usr/share/shorewall/macro.NTP
 #
 #	This macro handles NTP traffic (ntpd).
+#	For broadcast NTP traffic, use NTPbrd Macro.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)    DEST         LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               udp	123
+PARAM	-	-	udp	123
-PARAM	 -		-		udp	1024:	123
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.NTPbrd

@@ -0,0 +1,18 @@
+#
+# Shorewall version 2.6 - NTPbrd Macro
+#
+# /usr/share/shorewall/macro.NTPbrd
+#
+#	This macro handles NTP traffic (ntpd) including replies to Broadcast
+#	NTP traffic.
+#
+#	It is recommended only to use this where the source host is trusted -
+#	otherwise it opens up a large hole in your firewall because
+#	Netfilter doesn't track connections for broadcast traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-		-		udp	123
+PARAM	-		-		udp	1024:	123
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.PCA

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.PCA
+# Shorewall version 2.6 - PCA Macro
+#
+# /usr/share/shorewall/macro.PCA
 #
 #	This macro handles PCAnywere (tm)
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		udp	5632
+PARAM	-	-	udp	5632
-PARAM	 -		-		tcp	5631
+PARAM	-	-	tcp	5631
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.POP3

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.POP3
+# Shorewall version 2.6 - POP3 Macro
+#
+# /usr/share/shorewall/macro.POP3
 #
 #	This macro handles POP3 traffic (secure and insecure):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)    DEST         LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	110	#Unsecure POP3	
+PARAM	-	-	tcp	110	# Unsecure POP3	
-PARAM	 -		-		tcp	995	#Secure POP3
+PARAM	-	-	tcp	995	# Secure POP3
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Ping

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Ping
+# Shorewall version 2.6 - Ping Macro
+#
+# /usr/share/shorewall/macro.Ping
 #
 #	This macro handles 'ping' requests.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               icmp	8
+PARAM	-	-	icmp	8
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.PostgreSQL

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.PostgreSQL
+# Shorewall version 2.6 - PostgreSQL Macro
+#
+# /usr/share/shorewall/macro.PostgreSQL
 #
 #	This macro handles connections to the PostgreSQL server.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -              -               tcp	5432
+PARAM	-	-	tcp	5432
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Rdate

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Rdate
+# Shorewall version 2.6 - Rdate Macro
+#
+# /usr/share/shorewall/macro.Rdate
 #
 #	This macro handles remote time retrieval (rdate).
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               tcp	37
+PARAM	-	-	tcp	37
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Rsync

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.Rsync
+# Shorewall version 2.6 - Rsync Macro
+#
+# /usr/share/shorewall/macro.Rsync
 #
 #	This macro handles connections to the rsync server.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               tcp	873
+PARAM	-	-	tcp	873
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SMB

@@ -1,14 +1,16 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SMB
+# Shorewall version 2.6 - SMB Macro
+#
+# /usr/share/shorewall/macro.SMB
 #
 #	Handle Microsoft SMB traffic. You need to invoke this macro in
 #	both directions.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               udp     135,445
+PARAM	-	-	udp	135,445
-PARAM    -              -               udp     137:139
+PARAM	-	-	udp	137:139
-PARAM	 -		-		udp	1024:	137
+PARAM	-	-	udp	1024:	137
-PARAM    -              -               tcp     135,139,445
+PARAM	-	-	tcp	135,139,445
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SMBswat

@@ -1,11 +1,13 @@
 #
-# Shorewall macro.SMBswat
+# Shorewall version 2.6 - SMBswat Macro
+#
+# /usr/share/shorewall/macro.SMBswat
 #
 #	This macro handles connections to the Samba Web Administration
 #	Tool (SWAT).
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               tcp     901
+PARAM	-	-	tcp	901
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SMTP

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SMTP
+# Shorewall version 2.6 - SMTP Macro
+#
+# /usr/share/shorewall/macro.SMTP
 #
 #	This macro handles SMTP (email) traffic.
 #
@@ -8,8 +10,8 @@
 #	reading of email via POP3 or IMAP. For those you need to use
 #	the POP3 or IMAP macros.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	25
+PARAM	-	-	tcp	25
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SNMP

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SNMP
+# Shorewall version 2.6 - SNMP Macro
+#
+# /usr/share/shorewall/macro.SNMP
 #
 #	This macro accepts SNMP traffic (including traps):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		udp	161:162	
+PARAM	-	-	udp	161:162	
-PARAM	 -		-		tcp	161
+PARAM	-	-	tcp	161
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SPAMD

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.SPAMD
+# Shorewall version 2.6 - SPAMD Macro
+#
+# /usr/share/shorewall/macro.SPAMD
 #
 #	This macro handles Spam Assassin SPAMD traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               tcp	783
+PARAM	-	-	tcp	783
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SSH

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.SSH
+# Shorewall version 2.6 - SSH Macro
+#
+# /usr/share/shorewall/macro.SSH
 #
 #	This macro handles secure shell (SSH) traffic.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	22
+PARAM	-	-	tcp	22
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.SVN

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.SVN
+# Shorewall version 2.6 - SVN Macro
 #
-#	This macro handles connections to the Subversion server.
+# /usr/share/shorewall/macro.SVN
 #
-################################################################################
+#	This macro handles connections to the Subversion (SVN) server.
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#
-#                       	        	PORT		PORT(S)    LIMIT
+###############################################################################
-PARAM    -              -               tcp	3690
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	3690
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Submission

@@ -0,0 +1,12 @@
+#
+# Shorewall version 2.6 - Submission Macro
+#
+# /usr/share/shorewall/macro.Submission
+#
+#	This macro handles mail message submission traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	587
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Syslog

@@ -1,10 +1,12 @@
 #
-# Shorewall macro.Syslog
+# Shorewall version 2.6 - Syslog Macro
+#
+# /usr/share/shorewall/macro.Syslog
 #
 #	This macro handles syslog UDP traffic.
 #
-################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST		SOURCE	   RATE
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT		PORT(S)    LIMIT
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM    -              -               udp     514
+PARAM	-	-	udp	514
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Telnet

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Telnet
+# Shorewall version 2.6 - Telnet Macro
+#
+# /usr/share/shorewall/macro.Telnet
 #
 #	This macro handles Telnet traffic. For traffic over the
 #	internet, telnet is inappropriate; use SSH instead
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               tcp	23
+PARAM	-	-	tcp	23
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Trcrt

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Trcrt
+# Shorewall version 2.6 -Trcrt Macro
+#
+# /usr/share/shorewall/macro.Trcrt
 #
 #	This macro handles Traceroute (for up to 30 hops):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               udp	33434:33524 #UDP Traceroute
+PARAM	-	-	udp	33434:33524 # UDP Traceroute
-PARAM	 -		-		icmp	8	    #ICMP Traceroute
+PARAM	-	-	icmp	8	    # ICMP Traceroute
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.VNC

@@ -1,10 +1,12 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.VNC
+# Shorewall version 2.6 - VNC Macro
+#
+# /usr/share/shorewall/macro.VNC
 #
 #	This macro handles VNC traffic for VNC display's 0 - 9.
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -	        -               tcp	5900:5909
+PARAM	-	-	tcp	5900:5909
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.VNCL

@@ -1,10 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.VNCL
+# Shorewall version 2.6 -VNCL Macro
 #
-#	This macro handles VNC traffic from Vncservers to Vncviewers in listen mode.
+# /usr/share/shorewall/macro.VNCL
 #
-######################################################################################
+#	This macro handles VNC traffic from Vncservers to Vncviewers in listen
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#	mode.
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#
-PARAM	 -	        -               tcp	5500
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
+PARAM	-	-	tcp	5500
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.Web

@@ -1,11 +1,13 @@
 #
-# Shorewall 2.6 /usr/share/shorewall/macro.Web
+# Shorewall version 2.6 - Web Macro
+#
+# /usr/share/shorewall/macro.Web
 #
 #	This macro handles WWW traffic (secure and insecure):
 #
-######################################################################################
+###############################################################################
-#TARGET  SOURCE		DEST      	PROTO	DEST    SOURCE	 	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
-#                       	        	PORT    PORT(S)		LIMIT	GROUP
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
-PARAM	 -		-		tcp	80
+PARAM	-	-	tcp	80
-PARAM	 -		-		tcp	443
+PARAM	-	-	tcp	443
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/macro.template

@@ -1,21 +1,24 @@
 #
-# Shorewall version 2.6 - Macro Template File
+# Shorewall version 2.6 - Template Macro
 #
 # /usr/share/shorewall/macro.template
 #
 # Macro files are similar to template files with the following exceptions:
 #
-#	- A macro file is not processed unless the marcro that it defines is referenced in the
+#	- A macro file is not processed unless the marcro that it defines is
-#	  /etc/shorewall/rules file or in an action definition file.
+#	  referenced in the /etc/shorewall/rules file or in an action
+#	  definition file.
 #
-#	- Macros are translated directly into one or more rules whereas actions become their own
+#	- Macros are translated directly into one or more rules whereas
-#	  chain.
+#	  actions become their own chain.
 #
-#	- All entries in a macro undergo substitution when the macro is invoked in the rules file.
+#	- All entries in a macro undergo substitution when the macro is
+#	  invoked in the rules file.
 #
 #	- Macros may not invoke other macros.
 #
-# The columns in a macro definition are the same as those in the action.template file.
+# The columns in a macro definition are the same as those in the
+# action.template file.
 # A few examples should help show how Macros work.
 #
 # /etc/shorewall/macro.FwdFTP:
@@ -26,44 +29,52 @@
 #
 # /etc/shorewall/rules:
 #
-#	#ACTION	SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL RATE	USER/
-#	#					PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#				PORT	PORT(S)	DEST	 LIMIT	GROUP
 #	FwdFTP	net	loc:192.168.1.5
 #
 # The result is equivalent to:
 #
-#	#ACTION	SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#	#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL RATE	USER/
-#	#					PORT	PORT(S)	DEST		LIMIT	GROUP
+#	#				PORT	PORT(S)	DEST	 LIMIT	GROUP
 #	DNAT	net	loc:192.168.1.5	tcp	21	
 #
 # The substitution rules are as follows:
 #
-#	ACTION column		If in the invocation of the macro, the macro name is followed by
+#	ACTION column		If in the invocation of the macro, the macro
-#				slash ("/") and a second name, the second name is substituted for
+#				name is followed by slash ("/") and a second
-#				each entry in the macro whose ACTION is PARAM
+#				name, the second name is substituted for each
+#				entry in the macro whose ACTION is PARAM
 #
-#				For example, if macro FOO is invoked as FOO/ACCEPT then when
+#				For example, if macro FOO is invoked as
-#				expanding macro.FOO, Shorewall will substitute ACCEPT in each
+#				FOO/ACCEPT then when expanding macro.FOO,
-#				entry in macro.FOO whose ACTION column contains PARAM. PARAM may
+#				Shorewall will substitute ACCEPT in each
-#				be optionally followed by a colon and a log level.
+#				entry in macro.FOO whose ACTION column
+#				contains PARAM. PARAM may be optionally
+#				followed by a colon and a log level.
 #	
-#				Any logging specified when the macro is invoked is applied to each
+#				Any logging specified when the macro is
-#				entry in the macros.
+#				invoked is applied to each entry in the macros.
 #
-#	SOURCE and DEST		If the column in the macro is empty then the value in the rules 
+#	SOURCE and DEST		If the column in the macro is empty then the
-#	columns 		file is used. If the column in the macro is non-empty then any
+#	columns			value in the rules file is used. If the column
-#				value in the rules file is appended with a ":" separator.
+#				in the macro is non-empty then any value in
-#
+#				the rules file is appended with a ":"
-#				Example:   Macro File	DNAT	net	loc	tcp	21
+#				separator.
-#					   rules File	FwdFTP	-	192.168.1.5
-#					   Result	DNAT	net	loc:192.168.1.5	tcp	21
-#	
-#	Remaining 		Any value in the rules file REPLACES the value given in the macro
-#	columns			file.
 #
 #
+#	Example:		###############################################
+#				#ACTION	SOURCE	DEST		PROTO	DEST
+#				#					PORT
+#		   Macro File	DNAT	net	loc		tcp	21
+#		   rules File	FwdFTP	-	192.168.1.5
+#		   Result	DNAT	net	loc:192.168.1.5	tcp	21
 #	
-####################################################################################################
+#	Remaining		Any value in the rules file REPLACES the value
-#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   RATE		USER/
+#	columns			given in the macro file.
-#                       	        	PORT    PORT(S)    LIMIT	GROUP
+#
+#		
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
+#				PORT	PORT(S)	DEST		LIMIT	GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/masq

@@ -1,10 +1,10 @@
 #
-# Shorewall 2.6 - Masquerade file
+# Shorewall version 2.6 - Masq file
 #
 # /etc/shorewall/masq
 #
-# Use this file to define dynamic NAT (Masquerading) and to define Source NAT
+#	Use this file to define dynamic NAT (Masquerading) and to define
-# (SNAT).
+#	Source NAT (SNAT).
 #
 # Columns are:
 #
@@ -12,13 +12,13 @@
 #		     interface. If ADD_SNAT_ALIASES=Yes in
 #		     /etc/shorewall/shorewall.conf, you may add ":" and
 #		     a digit to indicate that you want the alias added with
-#                    that name (e.g., eth0:0). This will allow the alias to
+#		     that name (e.g., eth0:0). This will allow the alias to
 #		     be displayed with ifconfig. THAT IS THE ONLY USE FOR
 #		     THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
 #		     PLACE IN YOUR SHOREWALL CONFIGURATION.
 #
 #		     This may be qualified by adding the character
-#                    ":" followed by a destination host or subnet.
+#		     ":" followed by a destination host or subnet.
 #
 #		     If you wish to inhibit the action of ADD_SNAT_ALIASES
 #		     for this entry then include the ":" but omit the digit:
@@ -53,7 +53,7 @@
 #		  In that example traffic from eth1 would be masqueraded unless
 #		  it came from 192.168.1.4 or 196.168.32.0/27
 #
-#	ADDRESS -- (Optional).  If you specify an address here, SNAT will be
+#	ADDRESS -- (Optional).	If you specify an address here, SNAT will be
 #				used and this will be the source address. If
 #				ADD_SNAT_ALIASES is set to Yes or yes in
 #				/etc/shorewall/shorewall.conf then Shorewall
@@ -89,26 +89,29 @@
 #				You can invoke the SAME target using the
 #				following in this column:
 #
-#				   SAME:[nodst:]<address-range>[,<address-range>...]
+#			SAME:[nodst:]<address-range>[,<address-range>...]
 #
 #				The <address-ranges> may be single addresses.
 #
-#				SAME works like SNAT with the exception that the
+#				SAME works like SNAT with the exception that
-#				same local IP address is assigned to each connection
+#				the same local IP address is assigned to each
-#				from a local address to a given remote address. If
+#				connection from a local address to a given
-#				the 'nodst:' option is included, then the same source
+#				remote address.
-#				address is used for a given internal system regardless
+#
-#				of which remote system is involved.
+#				If the 'nodst:' option is included, then the
+#				same source address is used for a given
+#				internal system regardless of which remote
+#				system is involved.
 #
 #				If you want to leave this column empty
 #				but you need to specify the next column then
 #				place a hyphen ("-") here.
 #
-#	PROTO -- (Optional)     If you wish to restrict this entry to a
+#	PROTO -- (Optional)	If you wish to restrict this entry to a
 #				particular protocol then enter the protocol
 #				name (from /etc/protocols) or number here.
 #
-#	PORT(S) -- (Optional)   If the PROTO column specifies TCP (protocol 6)
+#	PORT(S) -- (Optional)	If the PROTO column specifies TCP (protocol 6)
 #				or UDP (protocol 17) then you may list one
 #				or more port numbers (or names from
 #				/etc/services) separated by commas or you
@@ -125,21 +128,22 @@
 #				your kernel and iptables must include policy
 #				match support.
 #
-#				Comma-separated list of options from the following.
+#				Comma-separated list of options from the
-#				Only packets that will be encrypted via an SA that
+#				following. Only packets that will be encrypted
-#				matches these options will have their source address
+#				via an SA that matches these options will have
-#				changed.
+#				their source address changed.
 #
-#					Yes or yes -- must be the only option listed
+#					Yes or yes -- must be the only option
-#					and matches all outbound traffic that will be
+#					listed and matches all outbound
-#					encrypted.
+#					traffic that will be encrypted.
 #
-#					reqid=<number> where <number> is specified
+#					reqid=<number> where <number> is
-#					using setkey(8) using the 'unique:<number>
+#					specified using setkey(8) using the
-#					option for the SPD level.
+#					'unique:<number> option for the SPD
+#					level.
 #
-#					spi=<number> where <number> is the SPI of
+#					spi=<number> where <number> is the
-#					the SA.
+#					SPI of the SA.
 #
 #					proto=ah|esp|ipcomp
 #
@@ -151,11 +155,11 @@
 #					tunnel-dst=<address>[/<mask>] (only
 #					available with mode=tunnel)
 #
-#					strict  Means that packets must match all
+#					strict	Means that packets must match
-#						rules.
+#						all rules.
 #
-#					next    Separates rules; can only be used
+#					next	Separates rules; can only be
-#						with strict..
+#						used with strict..
 #
 #	Example 1:
 #
@@ -179,13 +183,13 @@
 #
 #			eth0	192.168.1.0/24
 #
-#       Example 3:
+#	Example 3:
 #
-#                 You have an IPSEC tunnel through ipsec0 and you want to
+#		  You have an IPSEC tunnel through ipsec0 and you want to
-#                 masquerade packets coming from 192.168.1.0/24 but only if
+#		  masquerade packets coming from 192.168.1.0/24 but only if
-#                 these packets are destined for hosts in 10.1.1.0/24:
+#		  these packets are destined for hosts in 10.1.1.0/24:
 #
-#                       ipsec0:10.1.1.0/24      196.168.1.0/24
+#			ipsec0:10.1.1.0/24	196.168.1.0/24
 #
 #	Example 4:
 #
@@ -212,5 +216,5 @@
 # For additional information, see http://shorewall.net/Documentation.htm#Masq
 #
 ###############################################################################
-#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
+#INTERFACE		SUBNET		ADDRESS		PROTO	PORT(S)	IPSEC
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/modules

@@ -1,27 +1,31 @@
-##############################################################################
-# Shorewall 2.6 /etc/shorewall/modules
 #
-# This file loads the modules needed by the firewall.
+# Shorewall version 2.6 - Modules File
 #
-# THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
+# /etc/shorewall/modules
-# dependency order. i.e., if M2 depends on M1 then you must load M1 before
-# you load M2.
 #
-# For additional information, see http://shorewall.net/Documentation.htm#modules
+#	This file loads the modules needed by the firewall.
-
+#
-    loadmodule ip_tables
+#	THE ORDER OF THE COMMANDS BELOW IS IMPORTANT!!!!!! You MUST load in
-    loadmodule iptable_filter
+#	dependency order. i.e., if M2 depends on M1 then you must load M1
-    loadmodule ip_conntrack
+#	before you load M2.
-    loadmodule ip_conntrack_ftp
+#
-    loadmodule ip_conntrack_tftp
+# For additional information, see
-    loadmodule ip_conntrack_irc
+# http://shorewall.net/Documentation.htm#modules
-    loadmodule iptable_nat
+#
-    loadmodule ip_nat_ftp
+###############################################################################
-    loadmodule ip_nat_tftp
+loadmodule ip_tables
-    loadmodule ip_nat_irc
+loadmodule iptable_filter
-    loadmodule ip_set
+loadmodule ip_conntrack
-    loadmodule ip_set_iphash
+loadmodule ip_conntrack_ftp
-    loadmodule ip_set_ipmap
+loadmodule ip_conntrack_tftp
-    loadmodule ip_set_macipmap
+loadmodule ip_conntrack_irc
-    loadmodule ip_set_portmap
+loadmodule iptable_nat
-
+loadmodule ip_nat_ftp
+loadmodule ip_nat_tftp
+loadmodule ip_nat_irc
+loadmodule ip_set
+loadmodule ip_set_iphash
+loadmodule ip_set_ipmap
+loadmodule ip_set_macipmap
+loadmodule ip_set_portmap
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/nat

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6  -- Network Address Translation Table
+# Shorewall version 2.6 - Nat File
 #
 # /etc/shorewall/nat
 #
@@ -8,17 +7,17 @@
 #	(NAT).
 #
 # WARNING: If all you want to do is simple port forwarding, do NOT use this
-#          file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
+#	   file. See http://www.shorewall.net/FAQ.htm#faq1. Also, in most
 #	   cases, Proxy ARP is a better solution that one-to-one NAT.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	EXTERNAL	External IP Address - this should NOT be the primary
 #			IP address of the interface named in the next
 #			column and must not be a DNS Name.
 #
 #	INTERFACE	Interface that you want to EXTERNAL address to appear
-#                       on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
+#			on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
 #			follow the interface name with ":" and a digit to
 #			indicate that you want Shorewall to add the alias
 #			with this name (e.g., "eth0:0"). That allows you to
@@ -31,17 +30,17 @@
 #			":" and no digit (e.g., "eth0:").
 #	INTERNAL	Internal Address (must not be a DNS Name).
 #
-#       ALL INTERFACES  If Yes or yes, NAT will be effective from all hosts.
+#	ALL INTERFACES	If Yes or yes, NAT will be effective from all hosts.
-#                       If No or no (or left empty) then NAT will be effective
+#			If No or no (or left empty) then NAT will be effective
-#                       only through the interface named in the INTERFACE
+#			only through the interface named in the INTERFACE
-#                       column
+#			column
 #
-#       LOCAL           If Yes or yes, NAT will be effective from the firewall
+#	LOCAL		If Yes or yes, NAT will be effective from the firewall
-#                       system
+#			system
 #
 # For additional information, see http://shorewall.net/NAT.htm
-##############################################################################
+#
+###############################################################################
 #EXTERNAL	INTERFACE	INTERNAL	ALL		LOCAL
 #						INTERFACES
-#
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/netmap

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6  -- Network Mapping Table
+# Shorewall version 2.6	 - Netmap File
 #
 # /etc/shorewall/netmap
 #
@@ -10,9 +9,9 @@
 #	WARNING: To use this file, your kernel and iptables must have
 #		 NETMAP support included.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
-#	TYPE	        Must be DNAT or SNAT.
+#	TYPE		Must be DNAT or SNAT.
 #
 #			If DNAT, traffic entering INTERFACE and addressed to
 #			NET1 has it's destination address rewritten to the
@@ -32,7 +31,6 @@
 # See http://shorewall.net/netmap.html for an example and usage
 # information.
 #
-##############################################################################
+###############################################################################
 #TYPE	NET1			INTERFACE	NET2
-#
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/params

@@ -1,25 +1,27 @@
 #
-# Shorewall 2.6 /etc/shorewall/params
+# Shorewall version 2.4 - Params File
 #
-# Assign any variables that you need here.
+# /etc/shorewall/params
 #
-# It is suggested that variable names begin with an upper case letter
+#	Assign any variables that you need here.
-# to distinguish them from variables used internally within the
-# Shorewall programs
 #
-# Example:
+#	It is suggested that variable names begin with an upper case letter
+#	to distinguish them from variables used internally within the
+#	Shorewall programs
 #
-#	NET_IF=eth0
+#	Example:
-#	NET_BCAST=130.252.100.255
-#	NET_OPTIONS=routefilter,norfc1918
 #
-# Example (/etc/shorewall/interfaces record):
+#		NET_IF=eth0
+#		NET_BCAST=130.252.100.255
+#		NET_OPTIONS=routefilter,norfc1918
 #
-#	net	$NET_IF		$NET_BCAST	$NET_OPTIONS
+#	Example (/etc/shorewall/interfaces record):
 #
-# The result will be the same as if the record had been written
+#		net	$NET_IF		$NET_BCAST	$NET_OPTIONS
 #
-#	net	eth0		130.252.100.255	routefilter,norfc1918
+#	The result will be the same as if the record had been written
 #
-##############################################################################
+#		net	eth0		130.252.100.255	routefilter,norfc1918
+#
+###############################################################################
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/policy

@@ -1,9 +1,9 @@
 #
-# Shorewall 2.6 -- Policy File
+# Shorewall version 2.6 - Policy File
 #
 # /etc/shorewall/policy
 #
-#	             THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
+#		     THE ORDER OF ENTRIES IN THIS FILE IS IMPORTANT
 #
 #	This file determines what to do with a new connection request if we
 #	don't get a match from the /etc/shorewall/rules file . For each
@@ -23,39 +23,43 @@
 #
 #			ACCEPT		- Accept the connection
 #			DROP		- Ignore the connection request
-#			REJECT		- For TCP, send RST. For all other, send
+#			REJECT		- For TCP, send RST. For all other,
-#					  "port unreachable" ICMP.
+#					  send "port unreachable" ICMP.
 #			QUEUE		- Send the request to a user-space
 #					  application using the QUEUE target.
 #			CONTINUE	- Pass the connection request past
 #					  any other rules that it might also
-#					  match (where the source or destination
+#					  match (where the source or
-#					  zone in those rules is a superset of
+#					  destination zone in those rules is
-#					  the SOURCE or DEST in this policy).
+#					  a superset of the SOURCE or DEST
+#					  in this policy).
 #			NONE		- Assume that there will never be any
 #					  packets from this SOURCE
-#					  to this DEST. Shorewall will not set up
+#					  to this DEST. Shorewall will not set
-#					  any infrastructure to handle such
+#					  up any infrastructure to handle such
-#				 	  packets and you may not have any rules
+#					  packets and you may not have any
-#					  with this SOURCE and DEST in the
+#					  rules with this SOURCE and DEST in
-#					  /etc/shorewall/rules file. If such a
+#					  the /etc/shorewall/rules file. If
-#					  packet _is_ received, the result is
+#					  such a packet _is_ received, the
-#					  undefined. NONE may not be used if the 
+#					  result is undefined. NONE may not be
-#					  SOURCE or DEST columns contain the
+#					  used if the SOURCE or DEST columns
-#					  firewall zone ($FW) or "all".
+#					  contain the firewall zone ($FW) or
+#					  "all".
 #
 #			If this column contains ACCEPT, DROP or REJECT and a
 #			corresponding common action is defined in
-#			/etc/shorewall/actions (or /usr/share/shorewall/actions.std)
+#			/etc/shorewall/actions (or
-#			then that action will be invoked before the policy named in
+#			/usr/share/shorewall/actions.std) then that action
-#			this column is inforced.
+#			will be invoked before the policy named in this column
+#			is inforced.
 #
 #			The policy determined the default treatment of new
-#			connection requests and may optionally be followed by ":" 
+#			connection requests and may optionally be followed by
-#			and an ESTABLISHED policy which determines what
+#			":" and an ESTABLISHED policy which determines what
-#			is to be done with packets that are part of an established
+#			is to be done with packets that are part of an
-#			connection. The choices are ACCEPT (the default) and QUEUE
+#			established connection. The choices are ACCEPT (the
-#			(to queue the packet to a user-space filter like Snort Inline). 
+#			default) and QUEUE (to queue the packet to a
+#			user-space filter like Snort Inline).
 #
 #	LOG LEVEL	If supplied, each connection handled under the default
 #			POLICY is logged at that level. If not supplied, no
@@ -93,6 +97,7 @@
 #	all		all		REJECT		info
 #
 # See http://shorewall.net/Documentation.htm#Policy for additional information.
+#
 ###############################################################################
 #SOURCE		DEST		POLICY		LOG		LIMIT:BURST
 #						LEVEL

Shorewall/providers

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6  -- Internet Service Providers
+# Shorewall version 2.6 - Providers File
 #
 # /etc/shorewall/providers
 #
@@ -15,7 +14,7 @@
 #
 #	To omit a column, enter "-".
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	NAME		The provider name.
 #
@@ -76,11 +75,13 @@
 #      eth1 connects to ISP 2. The IP address of eth1 is 130.252.99.27 and the
 #      ISP's gateway router has IP address 130.252.99.254.
 #
-#      #NAME   NUMBER  MARK DUPLICATE   INTERFACE   GATEWAY         OPTIONS		COPY
+#      #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY	     OPTIONS	  COPY
-#      ISP1    1       1    main        eth0        206.124.146.254 track,balance
+#      ISP1  1	    1	 main	   eth0	     206.124.146.254 track,balance
-#      ISP2    2       2    main        eth1        130.252.99.254  track,balance 
+#      ISP2  2	    2	 main	   eth1	     130.252.99.254  track,balance
 #
-# For additional information, see http://shorewall.net/Shorewall_and_Routing.html
+# For additional information, see
-##############################################################################################
+# http://shorewall.net/Shorewall_and_Routing.html
+#
+############################################################################################
 #NAME	NUMBER	MARK	DUPLICATE	INTERFACE	GATEWAY		OPTIONS		COPY
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Shorewall/proxyarp

@@ -1,12 +1,11 @@
-##############################################################################
 #
-# Shorewall 2.6 -- Proxy ARP
+# Shorewall version  2.6 - Proxyarp File
 #
 # /etc/shorewall/proxyarp
 #
 #	This file is used to define Proxy ARP.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	ADDRESS		IP Address
 #
@@ -41,6 +40,7 @@
 #			155.186.235.6	eth1		eth0
 #
 # See http://shorewall.net/ProxyARP.htm for additional information.
-##############################################################################
+#
+###############################################################################
 #ADDRESS	INTERFACE	EXTERNAL	HAVEROUTE	PERSISTENT
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/rfc1918

@@ -1,18 +1,19 @@
 #
-# Shorewall 2.6 -- RFC1918 File
+# Shorewall version 2.6 - Rfc1918 File
 #
 # /etc/shorewall/rfc1918
 #
-# Lists the subnetworks that are blocked by the 'norfc1918' interface option.
+#	Lists the subnetworks that are blocked by the 'norfc1918' interface
+#	option.
 #
-# The default list includes those IP addresses listed in RFC 1918.
+#	The default list includes those IP addresses listed in RFC 1918.
 #
 #	DO NOT MODIFY THIS FILE. IF YOU NEED TO MAKE CHANGES, COPY THE FILE
 #	TO /etc/shorewall AND MODIFY THE COPY.
 #
 # Columns are:
 #
-# 	SUBNETS		A comma-separated list of subnet addresses
+#	SUBNETS		A comma-separated list of subnet addresses
 #			(host addresses also allowed as are IP
 #			address ranges provided that your kernel and iptables
 #			have iprange match support).
@@ -21,23 +22,24 @@
 #			DROP	- silently drop the packet
 #			logdrop - log then drop
 #
-# By default, the RETURN target causes 'norfc1918' processing to cease for a
+#	By default, the RETURN target causes 'norfc1918' processing to cease
-# packet if the packet's source IP address matches the rule. Thus, if you have:
+#	for a packet if the packet's source IP address matches the rule. Thus,
+#	if you have:
 #
-#	SUBNETS			TARGET
+#		SUBNETS			TARGET
-#	192.168.1.0/24		RETURN
+#		192.168.1.0/24		RETURN
 #
-# then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though you 
+#	then traffic from 192.168.1.4 to 10.0.3.9 will be accepted even though
-# also have:
+#	you also have:
 #
-#	SUBNETS			TARGET
+#		SUBNETS			TARGET
-#	10.0.0.0/8		logdrop
+#		10.0.0.0/8		logdrop
 #
-# Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic to be
+#	Setting RFC1918_STRICT=Yes in shorewall.conf will cause such traffic
-# logged and dropped since while the packet's source matches the RETURN rule,
+#	to be logged and dropped since while the packet's source matches the
-# the packet's destination matches the 'logdrop' rule.
+#	RETURN rule, the packet's destination matches the 'logdrop' rule.
 #
-################################################################################
+###############################################################################
 #SUBNETS		TARGET
 172.16.0.0/12		logdrop		# RFC 1918
 192.168.0.0/16		logdrop		# RFC 1918

Shorewall/routestopped

@@ -1,6 +1,5 @@
-##############################################################################
 #
-# Shorewall 2.6 -- Hosts Accessible when the Firewall is Stopped
+# Shorewall version 2.6 - Routestopped File
 #
 # /etc/shorewall/routestopped
 #
@@ -8,7 +7,7 @@
 #	firewall is stopped or when it is in the process of being
 #	[re]started.
 #
-# Columns must be separated by white space and are:
+# Columns are:
 #
 #	INTERFACE	- Interface through which host(s) communicate with
 #			  the firewall
@@ -19,7 +18,7 @@
 #
 #			  If left empty or supplied as "-",
 #			  0.0.0.0/0 is assumed.
-#	OPTIONS         - (Optional) A comma-separated list of
+#	OPTIONS		- (Optional) A comma-separated list of
 #			  options. The currently-supported options are:
 #
 #			  routeback - Set up a rule to ACCEPT traffic from
@@ -27,15 +26,15 @@
 #
 #			  source - Allow traffic from these hosts to ANY
 #			  destination. Without this option or the 'dest'
-#                         option, only traffic from this host to other
+#			  option, only traffic from this host to other
 #			  listed hosts (and the firewall) is allowed. If
-#                         'source' is specified then 'routeback' is redundent.
+#			  'source' is specified then 'routeback' is redundent.
 #
 #			  dest - Allow traffic to these hosts from ANY
 #			  source. Without this option or the 'source'
-#                         option, only traffic from this host to other
+#			  option, only traffic from this host to other
 #			  listed hosts (and the firewall) is allowed. If
-#                         'dest' is specified then 'routeback' is redundent.
+#			  'dest' is specified then 'routeback' is redundent.
 #
 #			  critical - Allow traffic between the firewall and
 #			  these hosts throughout '[re]start', 'stop' and
@@ -55,6 +54,7 @@
 # See http://shorewall.net/Documentation.htm#Routestopped and
 # http://shorewall.net/starting_and_stopping_shorewall.htm for additional
 # information.
-##############################################################################
+#
-#INTERFACE	HOST(S)		OPTIONS
+###############################################################################
+#INTERFACE	HOST(S)			OPTIONS
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/rules

@@ -5,9 +5,9 @@
 #
 #	Rules in this file govern connection establishment. Requests and
 #	responses are automatically allowed using connection tracking. For any
-#       particular (source,dest) pair of zones, the rules are evaluated in the
+#	particular (source,dest) pair of zones, the rules are evaluated in the
-#       order in which they appear in this file and the first match is the one
+#	order in which they appear in this file and the first match is the one
-#       that determines the disposition of the request.
+#	that determines the disposition of the request.
 #
 #	In most places where an IP address or subnet is allowed, you
 #	can preceed the address/subnet with "!" (e.g., !192.168.1.0/24) to
@@ -16,29 +16,29 @@
 #	address/subnet.
 #------------------------------------------------------------------------------
 # WARNING: If you masquerade or use SNAT from a local system to the internet,
-#          you cannot use an ACCEPT rule to allow traffic from the internet to
+#	   you cannot use an ACCEPT rule to allow traffic from the internet to
 #	   that system. You *must* use a DNAT rule instead.
-#-------------------------------------------------------------------------------#
+#------------------------------------------------------------------------------
 # Columns are:
 #
 #	ACTION		ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
 #			LOG, QUEUE or an <action>.
 #
-#				ACCEPT   -- allow the connection request
+#				ACCEPT	 -- allow the connection request
-#				ACCEPT+  -- like ACCEPT but also excludes the
+#				ACCEPT+	 -- like ACCEPT but also excludes the
 #					    connection from any subsequent
 #					    DNAT[-] or REDIRECT[-] rules
-#				NONAT    -- Excludes the connection from any
+#				NONAT	 -- Excludes the connection from any
 #					    subsequent DNAT[-] or REDIRECT[-]
 #					    rules but doesn't generate a rule
 #					    to accept the traffic.
-#				DROP     -- ignore the request
+#				DROP	 -- ignore the request
-#				REJECT   -- disallow the request and return an
+#				REJECT	 -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
-#				DNAT     -- Forward the request to another
+#				DNAT	 -- Forward the request to another
 #					    system (and optionally another
 #					    port).
-#				DNAT-    -- Advanced users only.
+#				DNAT-	 -- Advanced users only.
 #					    Like DNAT but only generates the
 #					    DNAT iptables rule and not
 #					    the companion ACCEPT rule.
@@ -48,7 +48,7 @@
 #					    listed, all requests from a given
 #					    remote system go to the same
 #					    server.
-#				SAME-    -- Advanced users only.
+#				SAME-	 -- Advanced users only.
 #					    Like SAME but only generates the
 #					    NAT iptables rule and not
 #					    the companion ACCEPT rule.
@@ -69,7 +69,7 @@
 #					    connection request will be passed
 #					    to the rules defined for that
 #					    (those) zone(s).
-#				LOG      -- Simply log the packet and continue.
+#				LOG	 -- Simply log the packet and continue.
 #				QUEUE	 -- Queue the packet to a user-space
 #					    application such as ftwall
 #					    (http://p2pwall.sf.net).
@@ -111,14 +111,14 @@
 #			LOGPREFIX setting.
 #
 #	SOURCE		Source hosts to which the rule applies. May be a zone
-#                       defined in /etc/shorewall/zones, $FW to indicate the
+#			defined in /etc/shorewall/zones, $FW to indicate the
-#			firewall itself, "all" or "none" If the ACTION is DNAT or
+#			firewall itself, "all" or "none" If the ACTION is DNAT
-#			REDIRECT, sub-zones of the specified zone may be
+#			or REDIRECT, sub-zones of the specified zone may be
 #			excluded from the rule by following the zone name with
 #			"!' and a comma-separated list of sub-zone names.
 #
-#			When "none" is used either in the SOURCE or DEST column,
+#			When "none" is used either in the SOURCE or DEST
-#			the rule is ignored.
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add
@@ -134,11 +134,12 @@
 #			Hosts may be specified as an IP address range using the
 #			syntax <low address>-<high address>. This requires that
 #			your kernel and iptables contain iprange match support.
-#                       If you kernel and iptables have ipset match support then
+#			If you kernel and iptables have ipset match support
-#                       you may give the name of an ipset prefaced by "+". The
+#			then you may give the name of an ipset prefaced by "+".
-#                       ipset name may be optionally followed by a number from
+#			The ipset name may be optionally followed by a number
-#                       1 to 6 enclosed in square brackets ([]) to indicate the
+#			from 1 to 6 enclosed in square brackets ([]) to
-#                       number of levels of source bindings to be matched.
+#			indicate the number of levels of source bindings to be
+#			matched.
 #
 #			dmz:192.168.2.2		Host 192.168.2.2 in the DMZ
 #
@@ -148,8 +149,8 @@
 #			loc:192.168.1.1,192.168.1.2
 #						Hosts 192.168.1.1 and
 #						192.168.1.2 in the local zone.
-#			loc:~00-A0-C9-15-39-78  Host in the local zone with
+#			loc:~00-A0-C9-15-39-78	Host in the local zone with
-#                                               MAC address 00:A0:C9:15:39:78.
+#						MAC address 00:A0:C9:15:39:78.
 #
 #			net:192.0.2.11-192.0.2.17
 #						Hosts 192.0.2.11-192.0.2.17 in
@@ -167,8 +168,8 @@
 #			/etc/shorewall/zones, $FW to indicate the firewall
 #			itself, "all" or "none".
 #
-#			When "none" is used either in the SOURCE or DEST column,
+#			When "none" is used either in the SOURCE or DEST
-#			the rule is ignored.
+#			column, the rule is ignored.
 #
 #			When "all" is used either in the SOURCE or DEST column
 #			intra-zone traffic is not affected. You must add
@@ -194,13 +195,13 @@
 #			the connections will be assigned to addresses in the
 #			range in a round-robin fashion.
 #
-#                       If you kernel and iptables have ipset match support then
+#			If you kernel and iptables have ipset match support
-#                       you may give the name of an ipset prefaced by "+". The
+#			then you may give the name of an ipset prefaced by "+".
-#                       ipset name may be optionally followed by a number from
+#			The ipset name may be optionally followed by a number
-#                       1 to 6 enclosed in square brackets ([]) to indicate the
+#			from 1 to 6 enclosed in square brackets ([]) to
-#                       number of levels of destination bindings to be matched.
+#			indicate the number of levels of destination bindings
-#                       Only one of the SOURCE and DEST columns may specify an
+#			to be matched. Only one of the SOURCE and DEST columns
-#                       ipset name.
+#			may specify an ipset name.
 #
 #			The port that the server is listening on may be
 #			included and separated from the server's IP address by
@@ -220,7 +221,7 @@
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", a number, or
 #			"all".
 #
-#	DEST PORT(S)    Destination Ports. A comma-separated list of Port
+#	DEST PORT(S)	Destination Ports. A comma-separated list of Port
 #			names (from /etc/services), port numbers or port
 #			ranges; if the protocol is "icmp", this column is
 #			interpreted as the destination icmp-type(s).
@@ -246,8 +247,8 @@
 #			ranges.
 #
 #			If you don't want to restrict client ports but need to
-#			specify an ORIGINAL DEST in the next column, then place
+#			specify an ORIGINAL DEST in the next column, then
-#			"-" in this column.
+#			place "-" in this column.
 #
 #			If your kernel contains multi-port match support, then
 #			only a single Netfilter rule will be generated if in
@@ -257,8 +258,8 @@
 #			Otherwise, a separate rule will be generated for each
 #			port.
 #
-#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-] then 
+#	ORIGINAL DEST	(0ptional) -- If ACTION is DNAT[-] or REDIRECT[-]
-#			if included and different from the IP
+#			then if included and different from the IP
 #			address given in the SERVER column, this is an address
 #			on some interface on the firewall and connections to
 #			that address will be forwarded to the IP and port
@@ -277,12 +278,12 @@
 #			For other actions, this column may be included and may
 #			contain one or more addresses (host or network)
 #			separated by commas. Address ranges are not allowed.
-#                       When this column is supplied, rules are generated
+#			When this column is supplied, rules are generated
-#                       that require that the original destination address matches
+#			that require that the original destination address
-#                       one of the listed addresses. This feature is most useful when
+#			matches one of the listed addresses. This feature is
-#                       you want to generate a filter rule that corresponds to a 
+#			most useful when you want to generate a filter rule
-#		        DNAT- or REDIRECT- rule. In this usage, the list of
+#			that corresponds to a DNAT- or REDIRECT- rule. In this
-#			addresses should not begin with "!".
+#			usage, the list of addresses should not begin with "!".
 #
 #			See http://shorewall.net/PortKnocking.html for an
 #			example of using an entry in this column with a
@@ -306,7 +307,7 @@
 #			
 #			The column may contain:
 #
-#			   [!][<user name or number>][:<group name or number>][+<program name>]
+#	[!][<user name or number>][:<group name or number>][+<program name>]
 #
 #			When this column is non-empty, the rule applies only
 #			if the program generating the output is running under
@@ -318,54 +319,54 @@
 #				joe	#program must be run by joe
 #				:kids	#program must be run by a member of
 #					#the 'kids' group
-#				!:kids  #program must not be run by a member
+#				!:kids	#program must not be run by a member
 #					#of the 'kids' group
-#				+upnpd  #program named 'upnpd'
+#				+upnpd	#program named 'upnpd'
 #
 #	Example: Accept SMTP requests from the DMZ to the internet
 #
-#	#ACTION SOURCE	DEST PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION SOURCE	DEST PROTO	DEST	SOURCE	ORIGINAL
-#	#                               PORT    PORT(S) DEST
+#	#				PORT	PORT(S) DEST
 #	ACCEPT	dmz	net	  tcp	smtp
 #
-#	Example: Forward all ssh and http connection requests from the internet
+#	Example: Forward all ssh and http connection requests from the
-#		 to local system 192.168.1.3
+#		 internet to local system 192.168.1.3
 #
-#	#ACTION SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#	#                                       PORT    PORT(S) DEST
+#	#					PORT	PORT(S) DEST
 #	DNAT	net	loc:192.168.1.3 tcp	ssh,http
 #
 #	Example: Forward all http connection requests from the internet
 #		 to local system 192.168.1.3 with a limit of 3 per second and
 #		 a maximum burst of 10
 #
-#	#ACTION 	SOURCE	DEST            PROTO	DEST    SOURCE	ORIGINAL	RATE
+#	#ACTION SOURCE DEST	       PROTO  DEST  SOURCE  ORIGINAL RATE
-#	#                                       	PORT    PORT(S) DEST		LIMIT
+#	#				      PORT  PORT(S) DEST     LIMIT
-#	DNAT		net	loc:192.168.1.3 tcp	http	-	-		3/sec:10
+#	DNAT	net    loc:192.168.1.3 tcp    http  -	    -	     3/sec:10
 #
 #	Example: Redirect all locally-originating www connection requests to
 #		 port 3128 on the firewall (Squid running on the firewall
 #		 system) except when the destination address is 192.168.2.2
 #
-#	#ACTION  SOURCE	DEST      PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION	 SOURCE	DEST	  PROTO	DEST	SOURCE	ORIGINAL
-#	#                               PORT    PORT(S) DEST
+#	#				PORT	PORT(S) DEST
-#	REDIRECT loc	3128      tcp	www	 -	!192.168.2.2
+#	REDIRECT loc	3128	  tcp	www	 -	!192.168.2.2
 #
 #	Example: All http requests from the internet to address
-#                130.252.100.69 are to be forwarded to 192.168.1.3
+#		 130.252.100.69 are to be forwarded to 192.168.1.3
 #
-#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#	#                               	PORT    PORT(S) DEST
+#	#					PORT	PORT(S) DEST
-#	DNAT      net	loc:192.168.1.3 tcp     80      -       130.252.100.69
+#	DNAT	  net	loc:192.168.1.3 tcp	80	-	130.252.100.69
 #
-#       Example: You want to accept SSH connections to your firewall only 
+#	Example: You want to accept SSH connections to your firewall only
 #		 from internet IP addresses 130.252.100.69 and 130.252.100.70
 #
-#	#ACTION  SOURCE	DEST      	PROTO	DEST    SOURCE	ORIGINAL
+#	#ACTION	 SOURCE	DEST		PROTO	DEST	SOURCE	ORIGINAL
-#	#                               	PORT    PORT(S) DEST
+#	#					PORT	PORT(S) DEST
 #	ACCEPT	 net:130.252.100.69,130.252.100.70 fw \
 #					tcp	22
-####################################################################################################
+#############################################################################################################
-#ACTION  SOURCE		DEST      	PROTO	DEST    SOURCE	   ORIGINAL	RATE		USER/
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/
-#                       	        	PORT    PORT(S)    DEST		LIMIT		GROUP
+#						PORT	PORT(S)		DEST		LIMIT		GROUP
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/shorewall.conf

@@ -1,4 +1,4 @@
-##############################################################################
+###############################################################################
 #  /etc/shorewall/shorewall.conf V2.6 - Change the following variables to
 #  match your setup
 #
@@ -7,17 +7,19 @@
 #  This file should be placed in /etc/shorewall
 #
 #  (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
-##############################################################################
+###############################################################################
-#                      S T A R T U P   E N A B L E D
+#		       S T A R T U P   E N A B L E D
-##############################################################################
+###############################################################################
+#
 # Once you have configured Shorewall, you may change the setting of
 # this variable to 'Yes'
+#
 
 STARTUP_ENABLED=No
 
-##############################################################################
+###############################################################################
-#                              L O G G I N G
+#			       L O G G I N G
-##############################################################################
+###############################################################################
 #
 # General note about log levels. Log levels are a method of describing
 # to syslog (8) the importance of a message and a number of parameters
@@ -53,7 +55,7 @@ STARTUP_ENABLED=No
 # installed by default). Ulogd is also available from
 # http://www.gnumonks.org/projects/ulogd and can be configured to log all
 # Shorewall message to their own log file
-################################################################################
+###############################################################################
 #
 # LOG FILE LOCATION
 #
@@ -62,10 +64,11 @@ STARTUP_ENABLED=No
 # /var/log/messages is assumed.
 #
 # WARNING: The LOGFILE variable simply tells the 'shorewall' program where to
-#          look for Shorewall messages.It does NOT control the destination for
+#	   look for Shorewall messages.It does NOT control the destination for
-#          these messages. For information about how to do that, see
+#	   these messages. For information about how to do that, see
+#
+#	       http://www.shorewall.net/shorewall_logging.html
 #
-#              http://www.shorewall.net/shorewall_logging.html
 
 LOGFILE=/var/log/messages
 
@@ -77,8 +80,8 @@ LOGFILE=/var/log/messages
 # template is expected to accept either two or three arguments; the first is
 # the chain name, the second (optional) is the logging rule number within that
 # chain and the third is the ACTION specifying the disposition of the packet
-# being logged. You must use the %d formatting type for the rule number; if your
+# being logged. You must use the %d formatting type for the rule number; if
-# template does not contain %d then the rule number will not be included.
+# your template does not contain %d then the rule number will not be included.
 #
 # If you want to integrate Shorewall with fireparse, then set LOGFORMAT as:
 #
@@ -92,6 +95,7 @@ LOGFILE=/var/log/messages
 # 'status' and 'hits' commands. This part should not be omitted (the
 # LOGFORMAT should not begin with "%") and the leading part should be
 # sufficiently unique for /sbin/shorewall to identify Shorewall messages.
+#
 
 LOGFORMAT="Shorewall:%s:%s:"
 
@@ -174,6 +178,7 @@ BLACKLIST_LOGLEVEL=
 # See the comment at the top of this section for a description of log levels
 #
 # Example: LOGNEWNOTSYN=debug
+#
 
 LOGNEWNOTSYN=info
 
@@ -220,7 +225,6 @@ RFC1918_LOG_LEVEL=info
 #'nosmurfs' interface option in /etc/shorewall/interfaces and in
 # /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
 # ) then dropped smurfs are not logged.
-
 #
 # See the comment at the top of this section for a description of log levels
 #
@@ -238,9 +242,9 @@ SMURF_LOG_LEVEL=info
 
 LOG_MARTIANS=No
 
-################################################################################
+###############################################################################
-#       L O C A T I O N   O F   F I L E S   A N D   D I R E C T O R I E S
+#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
-################################################################################
+###############################################################################
 #
 # IPTABLES
 #
@@ -253,7 +257,7 @@ IPTABLES=
 
 #
 # PATH - Change this if you want to change the order in which Shorewall
-#        searches directories for executable files.
+#	 searches directories for executable files.
 #
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -263,6 +267,7 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # The firewall script is normally interpreted by /bin/sh. If you wish to change
 # the shell used to interpret that script, specify the shell here.
+#
 
 SHOREWALL_SHELL=/bin/sh
 
@@ -281,6 +286,7 @@ SUBSYSLOCK=/var/lock/subsys/shorewall
 # If your netfilter kernel modules are in a directory other than
 # /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter then specify that
 # directory in this variable. Example: MODULESDIR=/etc/modules.
+#
 
 MODULESDIR=
 
@@ -296,6 +302,7 @@ MODULESDIR=
 #
 # If not specified or specified as null ("CONFIG_PATH=""),
 # CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
+#
 
 CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 
@@ -314,6 +321,7 @@ CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 # directory /var/lib/shorewall. If this option is not set or if it is
 # set to the empty value (RESTOREFILE="") then RESTOREFILE=restore is
 # assumed.
+#
 
 RESTOREFILE=
 
@@ -323,14 +331,16 @@ RESTOREFILE=
 # Previous versions of Shorewall had both a 'zones' file and an 'ipsec' file.
 # Beginning with 2.5.0, those files were combined. For users who haven't
 # converted, we offer this variable that sets the name of the file for ipsec
-# information. This option must take the value "zones" or "ipsec". If the option
+# information. This option must take the value "zones" or "ipsec". If the
-# is not set or is set to the empty value (IPSECFILE="") then "ipsec" is assumed.
+# option is not set or is set to the empty value (IPSECFILE="") then "ipsec"
+# is assumed.
+#
 
 IPSECFILE=zones
 
-################################################################################
+###############################################################################
-#                       F I R E W A L L   O P T I O N S
+#			F I R E W A L L	  O P T I O N S
-################################################################################
+###############################################################################
 
 # NAME OF THE FIREWALL ZONE
 #
@@ -369,9 +379,9 @@ ADD_IP_ALIASES=Yes
 # AUTOMATICALLY ADD SNAT IP ADDRESSES
 #
 # If you say "Yes" or "yes" here, Shorewall will automatically add IP addresses
-# for each SNAT external address that you give in /etc/shorewall/masq. If you say
+# for each SNAT external address that you give in /etc/shorewall/masq. If you
-# "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No" unless
+# say "No" or "no", you must add these aliases youself. LEAVE THIS SET TO "No"
-# you are sure that you need it -- most people don't!!!
+# unless you are sure that you need it -- most people don't!!!
 #
 
 ADD_SNAT_ALIASES=No
@@ -395,8 +405,9 @@ RETAIN_ALIASES=No
 #
 # ENABLE TRAFFIC SHAPING
 #
-# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall. If
+# If you say "Yes" or "yes" here, Traffic Shaping is enabled in the firewall.
-# you say "No" or "no" then traffic shaping is not enabled.
+# If you say "No" or "no" then traffic shaping is not enabled.
+#
 
 TC_ENABLED=No
 
@@ -413,6 +424,7 @@ TC_ENABLED=No
 # classifier based on packet marking defined in /etc/shorewall/tcrules.
 #
 # If omitted, CLEAR_TC=Yes is assumed.
+#
 
 CLEAR_TC=Yes
 
@@ -425,14 +437,15 @@ CLEAR_TC=Yes
 # MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
 #
 # Marking packets in the FORWARD chain has the advantage that inbound
-# packets destined for Masqueraded/SNATed local hosts have had their destination
+# packets destined for Masqueraded/SNATed local hosts have had their
-# address rewritten so they can be marked based on their destination. When
+# destination address rewritten so they can be marked based on their
-# packets are marked in the PREROUTING chain, packets destined for
+# destination. When packets are marked in the PREROUTING chain, packets
-# Masqueraded/SNATed local hosts still have a destination address corresponding
+# destined for Masqueraded/SNATed local hosts still have a destination address
-# to the firewall's external interface.
+# corresponding to the firewall's external interface.
 #
 # Note: Older kernels do not support marking packets in the FORWARD chain and
-#       setting this variable to Yes may cause startup problems.
+#	setting this variable to Yes may cause startup problems.
+#
 
 MARK_IN_FORWARD_CHAIN=No
 
@@ -456,7 +469,7 @@ MARK_IN_FORWARD_CHAIN=No
 #    problem are that everything works fine from your Linux
 #    firewall/router, but machines behind it can never exchange large
 #    packets:
-#        1) Web browsers connect, then hang with no data received.
+#	 1) Web browsers connect, then hang with no data received.
 #	 2) Small mail works fine, but large emails hang.
 #	 3) ssh works fine, but scp hangs after initial handshaking.
 # ]
@@ -481,12 +494,14 @@ CLAMPMSS=No
 # interfaces started while Shorewall is started (anti-spoofing measure).
 #
 # If this variable is not set or is set to the empty value, "No" is assumed.
-# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
+# Regardless of the setting of ROUTE_FILTER, you can still enable route
-# on individual interfaces using the 'routefilter' option in the
+# filtering on individual interfaces using the 'routefilter' option in the
 # /etc/shorewall/interfaces file.
+#
 
 ROUTE_FILTER=No
 
+#
 # DNAT IP ADDRESS DETECTION
 #
 # Normally when Shorewall encounters the following rule:
@@ -515,6 +530,7 @@ ROUTE_FILTER=No
 # one of the interfaces associated with the source zone. Note that this
 # requires all interfaces to the source zone to be up when the firewall
 # is [re]started.
+#
 
 DETECT_DNAT_IPADDRS=No
 
@@ -530,6 +546,7 @@ DETECT_DNAT_IPADDRS=No
 #
 # An appropriate value for this parameter would be twice the length of time
 # that it takes your firewall system to process a "shorewall restart" command.
+#
 
 MUTEX_TIMEOUT=60
 
@@ -541,8 +558,8 @@ MUTEX_TIMEOUT=60
 #	CLIENT			SERVER
 #
 #	SYN-------------------->
-#            <------------------SYN,ACK
+#	     <------------------SYN,ACK
-#       ACK-------------------->
+#	ACK-------------------->
 #
 # The first packet in that exchange (packet with the SYN flag on and the ACK
 # and RST flags off) is referred to in Netfilter terminology as a "syn" packet.
@@ -575,6 +592,7 @@ MUTEX_TIMEOUT=60
 # connection from the conntrack table but the end-points haven't
 # completed shutting down the connection).  I therefore have chosen
 # NEWNOTSYN=Yes as the default value.
+#
 
 NEWNOTSYN=Yes
 
@@ -595,8 +613,8 @@ NEWNOTSYN=Yes
 # a remote firewall (or worse, they have to get someone out of bed to drive
 # across town to restart a very remote firewall).
 #
-# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this setting,
+# For those administrators, we offer ADMINISABSENTMINDED=Yes. With this
-# when the firewall enters the 'stopped' state:
+# setting, when the firewall enters the 'stopped' state:
 #
 # All traffic that is part of or related to established connections is still
 # allowed and all OUTPUT traffic is allowed. This is in addition to traffic
@@ -613,8 +631,8 @@ ADMINISABSENTMINDED=Yes
 #
 # Shorewall offers two types of blacklisting:
 #
-#	- static blacklisting through the /etc/shorewall/blacklist file together
+#	- static blacklisting through the /etc/shorewall/blacklist file
-#	  with the 'blacklist' interface option.
+#	  together with the 'blacklist' interface option.
 #	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
 #
 # The following variable determines whether the blacklist is checked for each
@@ -636,6 +654,7 @@ BLACKLISTNEWONLY=Yes
 # time and that new connections are disabled during that time. By setting
 # DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
 # before loading the blacklist.
+#
 
 DELAYBLACKLISTLOAD=No
 
@@ -700,6 +719,7 @@ DYNAMIC_ZONES=No
 # able to match certain broadcast packets. If you set PKTTYPE=No then Shorewall
 # will use IP addresses to detect broadcasts rather than pkttype. If not given
 # or if given as empty (PKTTYPE="") then PKTTYPE=Yes is assumed.
+#
 
 PKTTYPE=Yes
 
@@ -727,7 +747,8 @@ PKTTYPE=Yes
 # RFC1918_STRICT=No is assumed.
 #
 # WARNING: RFC1918_STRICT=Yes requires that your kernel and iptables support
-#          'conntrack state' match.
+#	   'conntrack state' match.
+#
 
 RFC1918_STRICT=No
 
@@ -751,6 +772,7 @@ RFC1918_STRICT=No
 # If MACLIST_TTL is not specified or is specified as empty (e.g,
 # MACLIST_TTL="" or is specified as zero then 'maclist' lookups will not
 # be cached.
+#
 
 MACLIST_TTL=
 
@@ -762,9 +784,10 @@ MACLIST_TTL=
 #	Restore the last saved ipset contents during "shorewall [re]start"
 #	Save the current ipset contents during "shorewall save"
 #
-#       Regardless of the setting of SAVE_IPSETS, if ipset contents were
+#	Regardless of the setting of SAVE_IPSETS, if ipset contents were
 #	saved during a "shorewall save" then they will be restored during
 #	a subsequent "shorewall restore".
+#
 
 SAVE_IPSETS=No
 
@@ -776,12 +799,13 @@ SAVE_IPSETS=No
 # compatibility, Shorewall can map the old names into invocations of the new
 # macros if you set MAPOLDACTIONS=Yes. If this option is not set or is set to
 # the empty value (MAPOLDACTIONS="") then MAPOLDACTIONS=Yes is assumed
+#
 
 MAPOLDACTIONS=No
 
-################################################################################
+###############################################################################
-#                       P A C K E T   D I S P O S I T I O N
+#			P A C K E T   D I S P O S I T I O N
-################################################################################
+###############################################################################
 #
 # BLACKLIST DISPOSITION
 #
@@ -800,6 +824,7 @@ BLACKLIST_DISPOSITION=DROP
 # that is not listed for that interface in /etc/shorewall/maclist. Valid
 # values are ACCEPT, DROP and REJECT. If not specified or specified as
 # empty (MACLIST_DISPOSITION="") then REJECT is assumed
+#
 
 MACLIST_DISPOSITION=REJECT
 
@@ -811,6 +836,7 @@ MACLIST_DISPOSITION=REJECT
 # 'tcpflags' option specified in /etc/shorewall/interfaces or in
 # /etc/shorewall/hosts. If not specified or specified as empty
 # (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
+#
 
 TCP_FLAGS_DISPOSITION=DROP
 

Shorewall/start

@@ -1,8 +1,13 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/start
 #
-# Add commands below that you want to be executed after shorewall has
+# Shorewall version 2.4 - Start File
-# been started or restarted.
+#
+# /etc/shorewall/start
+#
+#	Add commands below that you want to be executed after shorewall has
+#	been started or restarted.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/started

@@ -1,17 +1,23 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/started
 #
-# Add commands below that you want to be executed after shorewall has
+# Shorewall version 2.6 - Started File
-# been completely started or restarted. The difference between this
-# extension script and /etc/shorewall/start is that this one is invoked
-# after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
-# after the 'shorewall' chain has been created (thus signaling that the
-# firewall is completely up.
 #
-# This script should not change the firewall configuration directly but may
+# /etc/shorewall/started
-# do so indirectly by running /sbin/shorewall with the 'nolock' option.
+#
+#	Add commands below that you want to be executed after shorewall has
+#	been completely started or restarted. The difference between this
+#	extension script and /etc/shorewall/start is that this one is invoked
+#	after delayed loading of the blacklist (DELAYBLACKLISTLOAD=Yes) and
+#	after the 'shorewall' chain has been created (thus signaling that the
+#	firewall is completely up.
+#
+#	This script should not change the firewall configuration directly but
+#	may do so indirectly by running /sbin/shorewall with the 'nolock'
+#	option.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information. Note though that the "ensure_and_save_command" function
 # should not be used in this script because Shorewall is already running
 # when this function is called.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/stop

@@ -1,8 +1,13 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/stop
 #
-# Add commands below that you want to be executed at the beginning of a
+# Shorewall version 2.6 - Stop File
-# "shorewall stop" command.
+#
+# /etc/shorewall/stop
+#
+#	Add commands below that you want to be executed at the beginning of a
+#	"shorewall stop" command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/stopped

@@ -1,8 +1,13 @@
-############################################################################
-# Shorewall 2.6 -- /etc/shorewall/stopped
 #
-# Add commands below that you want to be executed at the completion of a
+# Shorewall version 2.4 - Stopped File
-# "shorewall stop" command.
+#
+# /etc/shorewall/stopped
+#
+#	Add commands below that you want to be executed at the completion of a
+#	"shorewall stop" command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
+#
+###############################################################################
+#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

Shorewall/tcrules

@@ -1,12 +1,12 @@
 #
-# Shorewall version 2.6 - Traffic Control Rules File
+# Shorewall version 2.6 - Tcrules File
 #
 # /etc/shorewall/tcrules
 #
 #	Entries in this file cause packets to be marked as a means of
 #	classifying them for traffic control or policy routing.
 #
-#                              I M P O R T A N T ! ! ! !
+#			       I M P O R T A N T ! ! ! !
 #
 #		FOR ENTRIES IN THIS FILE TO HAVE ANY EFFECT, YOU MUST SET
 #		TC_ENABLED=Yes in /etc/shorewall/shorewall.conf
@@ -24,13 +24,14 @@
 #
 #
 #	MARK/		a) A mark value which is an integer in the range 1-255
-#       CLASSIFY
+#	CLASSIFY
 #			   May optionally be followed by ":P" or ":F"
 #			   where ":P" indicates that marking should occur in
 #			   the PREROUTING chain and ":F" indicates that marking
 #			   should occur in the FORWARD chain. If neither
-#			   ":P" nor ":F" follow the mark value then the chain is
+#			   ":P" nor ":F" follow the mark value then the chain
-#			   determined by the setting of MARK_IN_FORWARD_CHAIN in
+#			   is determined by the setting of
+#			   MARK_IN_FORWARD_CHAIN in
 #			   /etc/shorewall/shorewall.conf.
 #
 #			   If your kernel and iptables include CONNMARK support
@@ -38,19 +39,20 @@
 #			   the packet.
 #
 #			   The mark value may be optionally followed by "/"
-#		           and a mask value (used to determine those bits of
+#			   and a mask value (used to determine those bits of
-#                          the connection mark to actually be set). The
+#			   the connection mark to actually be set). The
-#                          mark and optional mask are then followed by one of:
+#			   mark and optional mask are then followed by one of:
 #
 #				C - Mark the connection in the chain determined
-#                                   by the setting of MARK_IN_FORWARD_CHAIN
+#				    by the setting of MARK_IN_FORWARD_CHAIN
 #
-#			        CF: Mark the connection in the FORWARD chain
+#				CF: Mark the connection in the FORWARD chain
 #
-#				CP: Mark the connection in the PREROUTING chain.
+#				CP: Mark the connection in the PREROUTING
+#				    chain.
 #
 #			b) A classification of the form <major>:<minor> where
-#		    	   <major> and <minor> are integers. Corresponds to 
+#			   <major> and <minor> are integers. Corresponds to
 #			   the 'class' specification in these traffic shaping
 #			   modules:
 #
@@ -65,19 +67,24 @@
 #
 #			c) RESTORE[/mask] -- restore the packet's mark from the
 #			   connection's mark using the supplied mask if any.
-#			   Your kernel and iptables must  include CONNMARK support.
+#			   Your kernel and iptables must include CONNMARK
+#			   support.
+#
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			c) SAVE[/mask] -- save the packet's mark to the
 #			   connection's mark using the supplied mask if any.
-#			   Your kernel and iptables must  include CONNMARK support.
+#			   Your kernel and iptables must include CONNMARK
+#			   support.
+#
 #			   As in a) above, may be followed by ":P" or ":F
 #
 #			d) CONTINUE -- don't process any more marking rules in
-#			   the table. As in a) above, may be followed by ":P" or
+#			   the table.
-#			   ":F".
 #
-#	SOURCE 		Source of the packet. A comma-separated list of
+#			   As in a) above, may be followed by ":P" or ":F".
+#
+#	SOURCE		Source of the packet. A comma-separated list of
 #			interface names, IP addresses, MAC addresses
 #			and/or subnets. If your kernel and iptables include
 #			iprange match support, IP address ranges are also
@@ -97,9 +104,9 @@
 #			iptables include iprange match support, IP address
 #			ranges are also allowed.
 #
-#                       If the MARK column specificies a classification of
+#			If the MARK column specificies a classification of
-#                       the form <major>:<minor> then this column may also
+#			the form <major>:<minor> then this column may also
-#                       contain an interface name.
+#			contain an interface name.
 #
 #	PROTO		Protocol - Must be "tcp", "udp", "icmp", "ipp2p",
 #			a number, or "all". "ipp2p" requires ipp2p match
@@ -111,8 +118,8 @@
 #			interpreted as the destination icmp-type(s).
 #
 #			If the protocol is ipp2p, this column is interpreted
-#			as an ipp2p option without the leading "--" (example "bit"
+#			as an ipp2p option without the leading "--" (example
-#			for bit-torrent). If no PORT is given, "ipp2p" is
+#			"bit" for bit-torrent). If no PORT is given, "ipp2p" is
 #			assumed.
 #
 #			This column is ignored if PROTOCOL = all but must be
@@ -134,27 +141,29 @@
 #
 #			It may contain :
 #
-#			   [<user name or number>]:[<group name or number>][+<program name>]
+#	[<user name or number>]:[<group name or number>][+<program name>]
 #
 #			The colon is optionnal when specifying only a user
 #			or a program name.
-#			Examples : john: , john , :users , john:users , +mozilla-bin
+#			Examples : john: , john , :users , john:users ,
+#				   +mozilla-bin
 #
-#	TEST		Defines a test on the existing packet or connection mark. 
+#	TEST		Defines a test on the existing packet or connection
-#			The rule will match only if the test returns true. Tests
+#			mark. The rule will match only if the test returns
-#			have the format [!]<value>[/<mask>][:C]
+#			true. Tests have the format [!]<value>[/<mask>][:C]
 #
 #			Where:
 #
 #				!	Inverts the test (not equal)
 #				<value> Value of the packet or connection mark.
-#				<mask>  A mask to be applied to the mark before
+#				<mask>	A mask to be applied to the mark before
 #					testing
-#				:C	Designates a connection mark. If omitted,
+#				:C	Designates a connection mark. If
-#					the packet mark's value is tested.
+#					omitted, the packet mark's value is
+#					tested.
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
-##############################################################################
+###############################################################################
-#MARK		SOURCE 		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
+#MARK	SOURCE		DEST		PROTO	PORT(S)	CLIENT	USER	TEST
-#								PORT(S)
+#							PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/tos

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.6 -- /etc/shorewall/tos
+# Shorewall version 2.6 - Tos File
+#
+#  /etc/shorewall/tos
 #
 #	This file defines rules for setting Type Of Service (TOS)
 #
@@ -10,7 +12,7 @@
 #
 #			If not "all" or $FW, may optionally be followed by
 #			":" and an IP address, a MAC address, a subnet
-#                       specification or the name of an interface.
+#			specification or the name of an interface.
 #
 #			Example: loc:192.168.2.3
 #
@@ -41,6 +43,7 @@
 #				Minimize-Cost (2)
 #				Normal-Service (0)
 #
-##############################################################################
+###############################################################################
-#SOURCE DEST		PROTOCOL	SOURCE PORTS	DEST PORTS	TOS
+#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS
+#						PORTS	PORTS
 #LAST LINE -- Add your entries above -- DO NOT REMOVE

Shorewall/tunnels

@@ -1,5 +1,7 @@
 #
-# Shorewall 2.4 - /etc/shorewall/tunnels
+# Shorewall version 2.6 - Tunnels File
+#
+# /etc/shorewall/tunnels
 #
 #	This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
 #
@@ -9,13 +11,13 @@
 #
 #	The columns are:
 #
-#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat","ipip"
+#	TYPE	    --	must start in column 1 and be "ipsec", "ipsecnat",
-#			"gre", "6to4", "pptpclient", "pptpserver", "openvpn" or 
+#			"ipip", "gre", "6to4", "pptpclient", "pptpserver",
-#			"generic"
+#			"openvpn" or "generic"
 #
-#			If the type is "ipsec" or "ipsecnat", it may be followed
+#			If the type is "ipsec" or "ipsecnat", it may be
-#			by ":noah" to indicate that the Authentication Header
+#			followed by ":noah" to indicate that the Authentication
-#			protocol (51) is not used by the tunnel.
+#			Header protocol (51) is not used by the tunnel.
 #
 #			If type is "openvpn", it may optionally be followed
 #			by ":" and the port number used by the tunnel. if no
@@ -102,16 +104,17 @@
 #
 #		Example 8:
 #
-#			You have a tunnel that is not one of the supported types.
+#			You have a tunnel that is not one of the supported
-#			Your tunnel uses UDP port 4444. The other end of the
+#			types. Your tunnel uses UDP port 4444. The other end
-#			tunnel is 4.3.99.124.
+#			of the tunnel is 4.3.99.124.
 #
 #			generic:udp:4444	net	4.3.99.124
 #
 #
-# See http://shorewall.net/Documentation.htm#Tunnels for additional information.
+# See http://shorewall.net/Documentation.htm#Tunnels for additional
+# information.
 #
-# TYPE			ZONE	GATEWAY		GATEWAY
+###############################################################################
+#TYPE			ZONE	GATEWAY		GATEWAY
 #						ZONE
-#
 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

Shorewall/zones

@@ -1,20 +1,24 @@
 #
-# Shorewall 2.6 /etc/shorewall/zones
+# Shorewall version 2.6 - Zones File
 #
-# This file determines your network zones. Columns are:
+# /etc/shorewall/zones
+#
+#	This file determines your network zones.
+#
+# Columns are:
 #
 #	ZONE	Short name of the zone (5 Characters or less in length).
 #		The names "all" and "none" are reserved and may not be
 #		used as zone names.
 #
-#	IPSEC   Yes --  Communication with all zone hosts is encrypted
+#	IPSEC	Yes --	Communication with all zone hosts is encrypted
 #	ONLY		Your kernel and iptables must include policy
 #			match support.
-#		No  --  Communication with some zone hosts may be encrypted. 
+#		No  --	Communication with some zone hosts may be encrypted.
 #			Encrypted hosts are designated using the 'ipsec'
 #			option in /etc/shorewall/hosts.
 #
-#	OPTIONS,        A comma-separated list of options as follows:
+#	OPTIONS,	A comma-separated list of options as follows:
 #	IN OPTIONS,
 #	OUT OPTIONS	reqid=<number> where <number> is specified
 #			using setkey(8) using the 'unique:<number>
@@ -35,10 +39,10 @@
 #			tunnel-dst=<address>[/<mask>] (only
 #			available with mode=tunnel)
 #
-#			strict  Means that packets must match all rules.
+#			strict	Means that packets must match all rules.
 #
-#			next    Separates rules; can only be used with
+#			next	Separates rules; can only be used with
-#                               strict..
+#				strict..
 #
 #		Example:
 #			mode=transport,reqid=44
@@ -55,16 +59,18 @@
 # OVERLAPPING ZONES DEFINED THROUGH /etc/shorewall/hosts.
 #
 # See http://www.shorewall.net/Documentation.htm#Nested
-#--------------------------------------------------------------------------------
+#------------------------------------------------------------------------------
 # Example zones:
 #
-#    You have a three interface firewall with internet, local and DMZ interfaces.
+#	You have a three interface firewall with internet, local and DMZ
+#	interfaces.
 #
 #	#ZONE	IPSEC	OPTIONS		IN			OUT	
 #	net	
 #	loc
 #	dmz
 #
+###############################################################################
 #ZONE	IPSEC	OPTIONS			IN			OUT
 #	ONLY				OPTIONS			OPTIONS
 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE