Documentation Updates

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1090 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-01-24 15:56:22 +00:00 · 2004-01-24 15:56:22 +00:00 · ac8d03c5f4
commit ac8d03c5f4
parent 2e80e459bb
10 changed files with 172 additions and 178 deletions
--- a/Shorewall-docs/Documentation.xml
+++ b/Shorewall-docs/Documentation.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-05</pubdate>
+    <pubdate>2004-01-22</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -680,6 +680,21 @@ dmz        DMZ            Demilitarized zone</programlisting>
            </varlistentry>
          </variablelist>
          <variablelist>
            <varlistentry>
              <term>detectnets</term>
              <listitem>
                <para>(Added in version 1.4.10) - If this option is specified,
                the zone named in the ZONE column will contain only the hosts
                routed through the interface named in the INTERFACE column.
                <emphasis role="bold">Do not set this option on your external
                (Internet) interface!</emphasis> The interface must be in the
                UP state when Shorewall is [re]started.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>My recommendations concerning options:</para>
          <itemizedlist>
@ -688,7 +703,7 @@ dmz        DMZ            Demilitarized zone</programlisting>
            </listitem>
            <listitem>
-              <para>Wireless Interface -- <emphasis role="bold">maclist,routefilter,tcpflags</emphasis></para>
+              <para>Wireless Interface -- <emphasis role="bold">maclist,routefilter,tcpflags,detectnets</emphasis></para>
            </listitem>
            <listitem>
@ -926,7 +941,7 @@ loc         eth1:192.168.1.0/24,192.168.12.0/24</programlisting>
    to a particular connection request then the policy from
    <filename>/etc/shorewall/policy</filename> is applied.</para>
-    <para>Four policies are defined:</para>
+    <para>Five policies are defined:</para>
    <variablelist>
      <varlistentry>
@ -1827,14 +1842,23 @@ DNAT     net      loc:192.168.1.101-192.168.1.109 tcp   80</programlisting>
          optionally qualified by adding <quote>:</quote> and a subnet or host
          IP. When this qualification is added, only packets addressed to that
          host or subnet will be masqueraded. Beginning with Shorewall version
-          1.3.14, if you have set ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />,
+          1.4.10, the interface name can be qualified with &#34;:&#34;
-          you can cause Shorewall to create an alias <emphasis>label</emphasis>
+          followed by a comma separated list of hosts and/or subnets. If this
-          of the form <emphasis>interfacename:digit</emphasis> (e.g., eth0:0)
+          list begins with <quote>!</quote> (e.g., <quote>eth0:!192.0.2.8/29,192.0.2.32/29</quote>)
-          by placing that label in this column. See example 5 below. Alias
+          then only packets addressed to destinations <emphasis role="bold">not</emphasis>
-          labels created in this way allow the alias to be visible to the
+          listed will be masqueraded; otherwise (e.g., <quote>eth0:192.0.2.8/29,192.0.2.32/29</quote>),
-          ipconfig utility. <emphasis role="bold">THAT IS THE ONLY THING THAT
+          traffic will be masqueraded if it <emphasis role="bold">does</emphasis>
-          THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR
+          match one of the listed addresses.</para>
-          SHOREWALL CONFIGURATION.</emphasis></para>
+
          <para>Beginning with Shorewall version 1.3.14, if you have set
          ADD_SNAT_ALIASES=Yes in <xref linkend="Conf" />, you can cause
          Shorewall to create an alias <emphasis>label</emphasis> of the form
          <emphasis>interfacename:digit</emphasis> (e.g., eth0:0) by placing
          that label in this column. See example 5 below. Alias labels created
          in this way allow the alias to be visible to the ipconfig utility.
          <emphasis role="bold">THAT IS THE ONLY THING THAT THIS LABEL IS GOOD
          FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL
          CONFIGURATION.</emphasis></para>
        </listitem>
      </varlistentry>
@ -3091,7 +3115,9 @@ eth1                -</programlisting>
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.11</revnumber><date>2005-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
+    <para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
    masquerade destination list.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-18</date><authorinitials>TE</authorinitials><revremark>Correct
    typo.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
    Compliance</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Improved
    formatting of DNAT- and REDIRECT- for clarity</revremark></revision><revision><revnumber>1.9</revnumber><date>2003-12-25</date><authorinitials>MN</authorinitials><revremark>Initial
    Docbook Conversion Complete</revremark></revision></revhistory></para>
--- a/Shorewall-docs/Documentation_Index.xml
+++ b/Shorewall-docs/Documentation_Index.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2003-12-31</pubdate>
+    <pubdate>2004-01-21</pubdate>
    <copyright>
      <year>2001-2003</year>
@ -23,7 +23,7 @@
      <holder>Thomas M. Eastep</holder>
    </copyright>
-    <edition>1.4.8</edition>
+    <edition>1.4.9</edition>
    <legalnotice>
      <para>Permission is granted to copy, distribute and/or modify this
@ -73,6 +73,10 @@
      (virtual) Interfaces (e.g., eth0:0)</ulink></para>
    </listitem>
    <listitem>
      <para><ulink url="traffic_shaping.htm">Bandwidth Control</ulink></para>
    </listitem>
    <listitem>
      <para><ulink url="blacklisting_support.htm">Blacklisting</ulink></para>
--- a/Shorewall-docs/FAQ.xml
+++ b/Shorewall-docs/FAQ.xml
@ -17,7 +17,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-20</pubdate>
+    <pubdate>2004-01-24</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -1590,7 +1590,12 @@ Creating input Chains...
      <para><emphasis role="bold">Answer:</emphasis> The above output is
      perfectly normal. The Net zone is defined as all hosts that are
      connected through eth0 and the local zone is defined as all hosts
-      connected through eth1</para>
+      connected through eth1. If you are running Shorewall 1.4.10 or later,
      you can consider setting the <ulink url="Documentation.htm#Interfaces"><emphasis
      role="bold">detectnets</emphasis> interface option</ulink> on your local
      interface (eth1 in the above example). That will cause Shorewall to
      restrict the local zone to only those networks routed through that
      interface.</para>
    </section>
    <section id="faq22">
@ -1909,7 +1914,9 @@ Creating input Chains...
  <appendix>
    <title>Revision History</title>
-    <para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
+    <para><revhistory><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
    a note about the <emphasis role="bold">detectnets</emphasis> interface
    option in FAQ 9.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-20</date><authorinitials>TE</authorinitials><revremark>Improve
    FAQ 16 answer.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Corrected
    broken link</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-09</date><authorinitials>TE</authorinitials><revremark>Added
    a couple of more legacy FAQ numbers.</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-01-08</date><authorinitials>TE</authorinitials><revremark>Corrected
--- a/Shorewall-docs/IPSEC.xml
+++ b/Shorewall-docs/IPSEC.xml
@ -15,14 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-10-29</pubdate>
+    <pubdate>2004-01-22</pubdate>
    <copyright>
-      <year>2001</year>
+      <year>2001-2004</year>
      <year>2002</year>
      <year>2003</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -37,6 +33,16 @@
    </legalnotice>
  </articleinfo>
  <warning>
    <para>This documentation does not cover configuring IPSEC under the 2.6
    Linux Kernel. David Hollis has provided i<ulink
    url="http://lists.shorewall.net/pipermail/shorewall-users/2003-December/010417.html">nformation
    about how to set up a simple tunnel under 2.6</ulink>. One important point
    that is not made explicit in David&#39;s post is that the <emphasis
    role="bold">vpn</emphasis> zone must be defined before the <emphasis
    role="bold">net</emphasis> zone in <filename>/etc/shorewall/zones</filename>.</para>
  </warning>
  <section>
    <title>Configuring FreeS/Wan</title>
--- a/Shorewall-docs/Shorewall_Squid_Usage.xml
+++ b/Shorewall-docs/Shorewall_Squid_Usage.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-10-17</pubdate>
+    <pubdate>2004-01-20</pubdate>
    <copyright>
-      <year>2003</year>
+      <year>2003-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -33,7 +33,7 @@
    </legalnotice>
  </articleinfo>
-  <para> </para>
+  <para></para>
  <para>This page covers Shorewall configuration to use with <ulink
  url="http://www.squid-cache.org">Squid</ulink> running as a Transparent
@ -401,7 +401,7 @@ chkconfig --level 35 iptables on</programlisting>
    </section>
    <section id="DMZ">
-      <title>Squid (transparent) Running in the DMZ (This is what I do)</title>
+      <title>Squid (transparent) Running in the DMZ</title>
      <para>You have a single Linux system in your DMZ with IP address
      192.0.2.177. You want to run both a web server and Squid on that system.
--- a/Shorewall-docs/Shorewall_and_Kazaa.xml
+++ b/Shorewall-docs/Shorewall_and_Kazaa.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-10-22</pubdate>
+    <pubdate>2004-01-19</pubdate>
    <copyright>
-      <year>2003</year>
+      <year>2003-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -42,7 +42,7 @@
  <para>To filter traffic from your <quote>loc</quote> zone with ftwall, you
  insert the following rules <emphasis role="bold">near the top</emphasis> of
-  your /etc/shorewall/rules file (before and ACCEPT rules whose source is the
+  your /etc/shorewall/rules file (before any ACCEPT rules whose source is the
  <quote>loc</quote> zone).</para>
  <programlisting>        QUEUE   loc        net        tcp
@ -51,4 +51,9 @@
  <para>Now simply configure ftwall as described in the ftwall documentation
  and restart Shorewall.</para>
  <tip>
    <para>There is an ftwall init script for use with <trademark>SuSE</trademark>
    Linux at <ulink url="http://shorewall.net/pub/shorewall/contrib/ftwall">http://shorewall.net/pub/shorewall/contrib/ftwall</ulink>.</para>
  </tip>
 </article>
--- a/Shorewall-docs/blacklisting_support.xml
+++ b/Shorewall-docs/blacklisting_support.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-05</pubdate>
+    <pubdate>2004-01-17</pubdate>
    <copyright>
      <year>2002-2004</year>
@ -140,7 +140,7 @@
    option in <filename>/etc/shorewall/interfaces</filename>.</para>
    <example>
-      <title>Ingore packets from a pair of systems</title>
+      <title>Ignore packets from a pair of systems</title>
      <programlisting>    <command>shorewall drop 192.0.2.124 192.0.2.125</command></programlisting>
--- a/Shorewall-docs/errata.xml
+++ b/Shorewall-docs/errata.xml
@ -13,7 +13,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-03</pubdate>
+    <pubdate>2004-01-19</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -62,16 +62,44 @@
    </itemizedlist>
  </caution>
  <section>
    <title>RFC1918 File</title>
    <para><ulink url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
    is the most up to date version of the <ulink
    url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
  </section>
  <section>
    <title>Problems in Version 1.4</title>
    <section>
-      <title>All Versions</title>
+      <title>Shorewall 1.4.9</title>
-      <para><ulink
+      <itemizedlist>
-      url="http://shorewall.net/pub/shorewall/errata/1.4.8/rfc1918">Here</ulink>
+        <listitem>
-      is the most up to date version of the <ulink
+          <para>The column descriptions in the action.template file did not
-      url="Documentation.htm#rfc1918">rfc1918 file</ulink>.</para>
+          match the column headings.</para>
        </listitem>
      </itemizedlist>
      <para>This problem has been corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/1.4.9/action.template">this
      action.template file</ulink> which may be installed in /etc/shorewall.</para>
      <itemizedlist>
        <listitem>
          <para>The presence of IPV6 addresses on devices generates error
          messages during <command>[re]start </command>if ADD_IP_ALIASES=Yes
          or ADD_SNAT_ALIASES=Yes are specified in
          /etc/shorewall/shorewall.conf.</para>
        </listitem>
      </itemizedlist>
      <para>This problem has been corrected in <ulink
      url="http://shorewall.net/pub/shorewall/errata/1.4.8/firewall">this
      firewall script</ulink> which may be installed in
      /usr/share/shorewall/firewall as described above.</para>
    </section>
    <section>
@ -437,9 +465,11 @@ Aborted (core dumped)</programlisting>
  </section>
  <appendix>
-    <title>Revision History</title>
+    <title>Revision History4</title>
-    <para><revhistory><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
+    <para><revhistory><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
    address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
    template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added
    note about REJECT RedHat Kernal problem being corrected.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Updated
    RFC1918 file</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-17</date><authorinitials>TE</authorinitials><revremark>Initial
    Conversion to Docbook XML</revremark></revision></revhistory></para>
--- a/Shorewall-docs/myfiles.xml
+++ b/Shorewall-docs/myfiles.xml
@ -15,7 +15,7 @@
      </author>
    </authorgroup>
-    <pubdate>2004-01-08</pubdate>
+    <pubdate>2004-01-20</pubdate>
    <copyright>
      <year>2001-2004</year>
@ -66,8 +66,9 @@
      </listitem>
      <listitem>
-        <para>One-to-one NAT for EastepLaptop (My work system). Internal
+        <para>One-to-one NAT for EastepLaptop (My work system -- Windows XP
-        address 192.168.1.7 and external address 206.124.146.180.</para>
+        SP2). Internal address 192.168.1.7 and external address
        206.124.146.180.</para>
      </listitem>
      <listitem>
@ -86,7 +87,7 @@
      </listitem>
    </itemizedlist>
-    <para>The firewall runs on a 256MB PII/233 with RH9.0.</para>
+    <para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
    <para>Wookie, Ursa and the Firewall all run Samba and the Firewall acts as
    a WINS server.</para>
@ -100,19 +101,20 @@
    <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
    Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
-    server (Pure-ftpd). The system also runs fetchmail to fetch our email from
+    server (Pure-ftpd) under RedHat 9.0. The system also runs fetchmail to
-    our old and current ISPs. That server is managed through Proxy ARP.</para>
+    fetch our email from our old and current ISPs. That server is managed
    through Proxy ARP.</para>
    <para>The firewall system itself runs a DHCP server that serves the local
    network.</para>
-    <para>All administration and publishing is done using ssh/scp. I have X
+    <para>All administration and publishing is done using ssh/scp. I have a
-    installed on the firewall but no X server or desktop is installed. X
+    desktop environment installed on the firewall but I am not usually logged
-    applications tunnel through SSH to XWin.exe running on Ursa. The server
+    in to it. X applications tunnel through SSH to Ursa. The server also has a
-    does have a desktop environment installed and that desktop environment is
+    desktop environment installed and that desktop environment is available
-    available via XDMCP from the local zone. For the most part though, X
+    via XDMCP from the local zone. For the most part though, X tunneled
-    tunneled through SSH is used for server administration and the server runs
+    through SSH is used for server administration and the server runs at run
-    at run level 3 (multi-user console mode on RedHat).</para>
+    level 3 (multi-user console mode on RedHat).</para>
    <para>I run an SNMP server on my firewall to serve <ulink
    url="http://www.ee.ethz.ch/~oetiker/webtools/mrtg/">MRTG</ulink> running
@ -120,9 +122,9 @@
    ethernet interface in the Server is configured with IP address
    206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
    is 206.124.146.254 (Router at my ISP. This is the same default gateway
-    used by the firewall itself). On the firewall, my /sbin/ifup-local script
+    used by the firewall itself). On the firewall, an entry in my
-    (see below) adds a host route to 206.124.146.177 through eth1 when that
+    /etc/network/interfaces file (see below) adds a host route to
-    interface is brought up.</para>
+    206.124.146.177 through eth1 when that interface is brought up.</para>
    <para>Ursa (192.168.1.5 A.K.A. 206.124.146.178) runs a PPTP server for
    Road Warrior access.</para>
@ -541,90 +543,24 @@ ACCEPT          all                             all                     icmp
    </section>
    <section>
-      <title>Init File</title>
+      <title>/etc/network/interfaces</title>
      <blockquote>
-        <para>This file deals with redirecting html requests to <ulink
+        <para>This file is Debian specific. My additional entry (which is
-        url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>.</para>
+        displayed in <emphasis role="bold">bold type</emphasis>) adds a route
-      </blockquote>
+        to my DMZ server when eth1 is brought up. It allows me to enter
        <quote>Yes</quote> in the HAVEROUTE column of <link linkend="ProxyARP">my
        Proxy ARP file</link>.</para>
-      <blockquote>
+        <programlisting>...
-        <programlisting>#
+auto eth1
-# Add a second routing table with my server as the default gateway
+iface eth1 inet static
-# Use this routing table with all packets marked with value 1
+        address 192.168.2.1
-# 
+        netmask 255.255.255.0
-if [ -z &#34;`ip route list table 202 2&#62; /dev/null`&#34; ] ; then
+        network 192.168.2.0
-    run_ip rule add fwmark 1 table www.out
+        broadcast 192.168.2.255
-    run_ip route add default via 206.124.146.177 dev eth1 table www.out
+        <emphasis role="bold">up ip route add 206.124.146.177 dev eth1
-    run_ip route flush cache
+</emphasis>...</programlisting>
 fi</programlisting>
      </blockquote>
    </section>
    <section>
      <title>/etc/iproute2/rt_tables</title>
      <blockquote>
        <para>This file deals with redirecting html requests to <ulink
        url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>.</para>
      </blockquote>
      <blockquote>
        <programlisting>#
 # reserved values
 #
 #255    local
 #254    main
 #253    default
 #0      unspec
 #
 # local -- I added the entry below
 #
 202 www.out</programlisting>
      </blockquote>
    </section>
    <section>
      <title>Tcrules File</title>
      <blockquote>
        <para>This file deals with redirecting html requests to <ulink
        url="Shorewall_Squid_Usage.html#DMZ">Squid on the DMZ server</ulink>
        -- in my setup, it is <emphasis role="bold">not</emphasis> used for
        traffic shapping/control.</para>
      </blockquote>
      <blockquote>
        <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT PORT(S)
 1:P             eth2,eth3       !192.168.0.0/16 tcp     80</programlisting>
      </blockquote>
    </section>
    <section>
      <title>Tcstart File</title>
      <blockquote>
        <para>My tcstart file is just the HTB version of <ulink
        url="http://lartc.org/wondershaper/">The WonderShaper</ulink>.</para>
      </blockquote>
    </section>
    <section>
      <title>/sbin/ifup-local</title>
      <blockquote>
        <para>This file is Redhat specific and adds a route to my DMZ server
        when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
        the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
        <programlisting>#!/bin/sh
 case $1 in
     eth1)
           ip route add 206.124.146.177 dev eth1
           ;;
 esac</programlisting>
      </blockquote>
    </section>
  </section>
--- a/Shorewall-docs/traffic_shaping.xml
+++ b/Shorewall-docs/traffic_shaping.xml
@ -15,10 +15,10 @@
      </author>
    </authorgroup>
-    <pubdate>2003-10-21</pubdate>
+    <pubdate>2004-01-21</pubdate>
    <copyright>
-      <year>2001-2003</year>
+      <year>2001-2004</year>
      <holder>Thomas M. Eastep</holder>
    </copyright>
@ -223,6 +223,21 @@
        omitted, any source port is acceptable. Specified as a comma-separate
        list of port names, port numbers or port ranges.</para>
      </listitem>
      <listitem>
        <para>USER (Added in Shorewall version 1.4.10) - (Optional) This
        column may only be non-empty if the SOURCE is the firewall itself.
        When this column is non-empty, the rule applies only if the program
        generating the output is running under the effective user and/or
        group. It may contain : </para>
        <para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]
        </para>
        <para>The colon is optionnal when specifying only a user. </para>
        <para>Examples : john: / john / :users / john:users</para>
      </listitem>
    </itemizedlist>
    <example>
@ -233,7 +248,7 @@
      originating on the firewall itself should be marked with 3.</para>
      <informaltable>
-        <tgroup cols="6">
+        <tgroup cols="4">
          <thead>
            <row>
              <entry align="center">MARK</entry>
@ -243,10 +258,6 @@
              <entry align="center">DESTINATION</entry>
              <entry align="center">PROTOCOL</entry>
              <entry align="center">PORT(S)</entry>
              <entry align="center">CLIENT PORT(S)</entry>
            </row>
          </thead>
@ -259,10 +270,6 @@
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
              <entry></entry>
              <entry></entry>
            </row>
            <row>
@ -273,10 +280,6 @@
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
              <entry></entry>
              <entry></entry>
            </row>
            <row>
@ -287,10 +290,6 @@
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
              <entry></entry>
              <entry></entry>
            </row>
            <row>
@ -301,10 +300,6 @@
              <entry>0.0.0.0/0</entry>
              <entry>all</entry>
              <entry></entry>
              <entry></entry>
            </row>
          </tbody>
        </tgroup>
@ -318,7 +313,7 @@
      destined for 155.186.235.151 should be marked with 12.</para>
      <informaltable>
-        <tgroup cols="6">
+        <tgroup cols="4">
          <thead>
            <row>
              <entry align="center">MARK</entry>
@ -328,10 +323,6 @@
              <entry align="center">DESTINATION</entry>
              <entry align="center">PROTOCOL</entry>
              <entry align="center">PORT(S)</entry>
              <entry align="center">CLIENT PORT(S)</entry>
            </row>
          </thead>
@ -344,10 +335,6 @@
              <entry>155.186.235.151</entry>
              <entry>47</entry>
              <entry></entry>
              <entry></entry>
            </row>
          </tbody>
        </tgroup>
@ -361,7 +348,7 @@
      155.186.235.151 should be marked with 22.</para>
      <informaltable>
-        <tgroup cols="6">
+        <tgroup cols="5">
          <thead>
            <row>
              <entry align="center">MARK</entry>
@ -373,8 +360,6 @@
              <entry align="center">PROTOCOL</entry>
              <entry align="center">PORT(S)</entry>
              <entry align="center">CLIENT PORT(S)</entry>
            </row>
          </thead>
@ -389,8 +374,6 @@
              <entry>tcp</entry>
              <entry>22</entry>
              <entry></entry>
            </row>
          </tbody>
        </tgroup>
@ -405,10 +388,7 @@
    url="http://lartc.org/wondershaper/">The Wonder Shaper </ulink>(I just
    copied wshaper.htb to /etc/shorewall/tcstart and modified it as shown in
    the Wondershaper README). WonderShaper DOES NOT USE THE
-    /etc/shorewall/tcrules file. While I currently have entries in
+    /etc/shorewall/tcrules file.</para>
    /etc/shorewall/tcrules, I do so for <ulink
    url="Shorewall_Squid_Usage.html">policy routing for Squid</ulink> and not
    for Traffic Shaping.</para>
  </section>
  <section>