Save/restore docker0 rules when it isn't defined to Shorewall

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -908,6 +908,26 @@ show_events() {
     fi
 }
 
+show_actions() {
+    echo "A_ACCEPT                        # Audit and accept the connection"
+    echo "A_DROP                          # Audit and drop the connection"
+    echo "A_REJECT                        # Audit and reject the connection "
+    echo "allowBcast                      # Silently Allow Broadcast/multicast"
+    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
+    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
+    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+    echo "dropBcast                       # Silently Drop Broadcast/multicast"
+    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
+    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
+    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
+    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
+
+    if [ -f ${g_confdir}/actions ]; then
+	cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+    else
+	grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+    fi
+}
 #
 # Show Command Executor
 #
@@ -921,6 +941,7 @@ show_command() {
     local output_filter
     output_filter=cat
     local arptables
+    local macro
 
     show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -1277,25 +1298,7 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    echo "A_ACCEPT                        # Audit and accept the connection"
+			    show_actions | sort
-			    echo "A_DROP                          # Audit and drop the connection"
-			    echo "A_REJECT                        # Audit and reject the connection "
-			    echo "allowBcast                      # Silently Allow Broadcast/multicast"
-			    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
-			    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
-			    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-			    echo "dropBcast                       # Silently Drop Broadcast/multicast"
-			    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
-			    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
-			    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
-			    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"
-
-			    if [ -f ${g_confdir}/actions ]; then
-				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
-			    else
-				grep -Ev '^\#|^$' ${g_sharedir}/actions.std
-			    fi
-
 			    return
 			    ;;
 			macro)

Shorewall/Macros/macro.AMQP

@@ -1,12 +1,10 @@
 #
-# Shorewall - AMQP Macro
+# Shorewall -- /usr/share/shorewall/macro.AMQP
 #
-# /usr/share/shorewall/macro.AMQP
+# This macro handles AMQP traffic.
-#
-#	This macro handles AMQP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	5672
 PARAM	-	-	udp	5672

Shorewall/Macros/macro.A_AllowICMPs

@@ -1,13 +1,10 @@
 #
-# Shorewall - Audited AllowICMPs Macro
+# Shorewall -- /usr/share/shorewall/macro.A_AllowICMPs
 #
-# /usr/share/shorewall/macro.A_AllowICMPs
+# This macro audits and accepts needed ICMP types.
-#
-#	This macro A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE
-#					PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Needed ICMP types
 

Shorewall/Macros/macro.A_DropDNSrep

@@ -1,13 +1,10 @@
 #
-# Shorewall - Audited DropDNSrep Macro
+# Shorewall -- /usr/share/shorewall/macro.A_DropDNSrep
 #
-# /usr/share/shorewall/macro.A_DropDNSrep
+# This macro audits and drops DNS UDP replies.
-#
-#	This macro silently audites and drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Late DNS Replies
 

Shorewall/Macros/macro.A_DropUPnP

@@ -1,13 +1,10 @@
 #
-# Shorewall - ADropUPnP Macro
+# Shorewall -- /usr/share/shorewall/macro.A_DropUPnP
 #
-# /usr/share/shorewall/macro.A_DropUPnP
+# This macro audits and drops UPnP probes on UDP port 1900.
-#
-#	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT UPnP
 

Shorewall/Macros/macro.ActiveDir

@@ -1,16 +1,13 @@
 #
-# Shorewall - Samba 4 Macro
+# Shorewall -- /usr/share/shorewall/macro.ActiveDir
-#
-# /usr/share/shorewall/macro.ActiveDir
-#
-#       This macro handles ports for Samba 4 Active Directory Service
-#
-# You can comment out the ports you do not want open
 #
+# This macro handles ports for Samba 4 Active Directory Service.
+# You can copy this file to /etc/shorewall[6]/ and comment out the ports you
+# do not want open.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL

Shorewall/Macros/macro.AllowICMPs

@@ -1,13 +1,10 @@
 #
-# Shorewall - AllowICMPs Macro
+# Shorewall -- /usr/share/shorewall/macro.AllowICMPs
 #
-# /usr/share/shorewall/macro.AllowICMPs
+# This macro ACCEPTs needed ICMP types.
-#
-#	This macro ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Needed ICMP types
 

Shorewall/Macros/macro.Amanda

@@ -1,15 +1,12 @@
 #
-# Shorewall - Amanda Macro
+# Shorewall -- /usr/share/shorewall/macro.Amanda
 #
-# /usr/share/shorewall/macro.Amanda
+# This macro handles connections required by the AMANDA backup system
-#
+# to back up remote nodes.  It does not provide the ability to restore
-#	This macro handles connections required by the AMANDA backup system
+# files from those nodes.
-#	to back up remote nodes.  It does not provide the ability to restore
-#	files from those nodes.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
  PARAM	-	-	udp	10080 { helper=amanda }

Shorewall/Macros/macro.Auth

@@ -1,11 +1,9 @@
 #
-# Shorewall - Auth Macro
+# Shorewall -- /usr/share/shorewall/macro.Auth
 #
-# /usr/share/shorewall/macro.Auth
+# This macro handles Auth (identd) traffic.
-#
-#	This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	113

Shorewall/Macros/macro.BGP

@@ -1,11 +1,9 @@
 #
-# Shorewall - BGP Macro
+# Shorewall -- /usr/share/shorewall/macro.BGP
 #
-# /usr/share/shorewall/macro.BGP
+# This macro handles BGP4 traffic.
-#
-#	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	179	# BGP4

Shorewall/Macros/macro.BLACKLIST

@@ -1,13 +1,11 @@
 #
-# Shorewall - blacklist Macro
+# Shorewall -- /usr/share/shorewall/macro.blacklist
 #
-# /usr/share/shorewall/macro.blacklist
+# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else

Shorewall/Macros/macro.BitTorrent

@@ -1,19 +1,16 @@
 #
-# Shorewall - BitTorrent Macro
+# Shorewall -- /usr/share/shorewall/macro.BitTorrent
 #
-# /usr/share/shorewall/macro.BitTorrent
+# This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
 #
-#	This macro handles BitTorrent traffic for BitTorrent 3.1 and earlier.
+# If you are running BitTorrent 3.2 or later, you should use the
-#
+# BitTorrent32 macro.
-#	If you are running BitTorrent 3.2 or later, you should use the
-#	BitTorrent32 macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:
 #
 PARAM	-	-	udp	6881
-#

Shorewall/Macros/macro.BitTorrent32

@@ -1,16 +1,13 @@
 #
-# Shorewall - BitTorrent 3.2 Macro
+# Shorewall -- /usr/share/shorewall/macro.BitTorrent32
 #
-# /usr/share/shorewall/macro.BitTorrent32
+# This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
-#
-#	This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	6881:6999
 #
 # It may also be necessary to allow UDP traffic:
 #
 PARAM	-	-	udp	6881
-#

Shorewall/Macros/macro.CVS

@@ -1,11 +1,9 @@
 #
-# Shorewall - CVS Macro
+# Shorewall -- /usr/share/shorewall/macro.CVS
 #
-# /usr/share/shorewall/macro.CVS
+# This macro handles connections to the CVS pserver.
-#
-#	This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	2401

Shorewall/Macros/macro.Citrix

@@ -1,14 +1,12 @@
 #
-# Shorewall - Citrix/ICA Macro
+# Shorewall -- /usr/share/shorewall/macro.Citrix
 #
-# /usr/share/shorewall/macro.Citrix
+# This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
-#
+# ICA Session Reliability)
-#	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
-#	ICA Session Reliability)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	1494	# ICA
 PARAM	-	-	udp	1604	# ICA Browser
 PARAM	-	-	tcp	2598	# CGP Session Reliabilty

Shorewall/Macros/macro.DAAP

@@ -1,13 +1,11 @@
 #
-# Shorewall - DAAP Macro
+# Shorewall -- /usr/share/shorewall/macro.DAAP
 #
-# /usr/share/shorewall/macro.DAAP
+# This macro handles DAAP (Digital Audio Access Protocol) traffic.
-#
+# The protocol is used by iTunes, Rythmbox and other similar daemons.
-#	This macro handles DAAP (Digital Audio Access Protocol) traffic.
-#	The protocol is used by iTunes, Rythmbox and other similar daemons.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	3689
 PARAM	-	-	udp	3689

Shorewall/Macros/macro.DCC

@@ -1,12 +1,10 @@
 #
-# Shorewall - DCC Macro
+# Shorewall -- /usr/share/shorewall/macro.DCC
 #
-# /usr/share/shorewall/macro.DCC
+# This macro handles DCC (Distributed Checksum Clearinghouse) traffic.
-#
+# DCC is a distributed spam filtering mechanism.
-#	This macro handles DCC (Distributed Checksum Clearinghouse) traffic.
-#	DCC is a distributed spam filtering mechanism.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	6277

Shorewall/Macros/macro.DHCPfwd

@@ -1,12 +1,10 @@
 #
-# Shorewall - DHCPfwd Macro
+# Shorewall -- /usr/share/shorewall/macro.DHCPfwd
 #
-# /usr/share/shorewall/macro.DHCPfwd
+# This macro (bidirectional) handles forwarded DHCP traffic
-#
-#	This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP

Shorewall/Macros/macro.DNS

@@ -1,12 +1,10 @@
 #
-# Shorewall - DNS Macro
+# Shorewall --  /usr/share/shorewall/macro.DNS
 #
-# /usr/share/shorewall/macro.DNS
+# This macro handles DNS traffic.
-#
-#	This macro handles DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53

Shorewall/Macros/macro.Distcc

@@ -1,11 +1,9 @@
 #
-# Shorewall - Distcc Macro
+# Shorewall -- /usr/share/shorewall/macro.Distcc
 #
-# /usr/share/shorewall/macro.Distcc
+# This macro handles connections to the Distributed Compiler service.
-#
-#	This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	3632

Shorewall/Macros/macro.Drop

@@ -1,18 +1,15 @@
 #
-# Shorewall - Drop Macro
+# Shorewall -- /usr/share/shorewall/macro.Drop
 #
-# /usr/share/shorewall/macro.Drop
+# This macro generates the same rules as the Drop default action
+# It is used in place of action.Drop when USE_ACTIONS=No.
 #
-#	This macro generates the same rules as the Drop default action
+# Example:
-#	It is used in place of action.Drop when USE_ACTIONS=No.
 #
-#	Example:
+#	Drop	net	all
-#
-#		Drop	net	all
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 #
 # Don't log 'auth' DROP
 #

Shorewall/Macros/macro.DropDNSrep

@@ -1,13 +1,10 @@
 #
-# Shorewall - DropDNSrep Macro
+# Shorewall -- /usr/share/shorewall/macro.DropDNSrep
 #
-# /usr/share/shorewall/macro.DropDNSrep
+# This macro silently drops DNS UDP replies
-#
-#	This macro silently drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT Late DNS Replies
 

Shorewall/Macros/macro.DropUPnP

@@ -1,13 +1,10 @@
 #
-# Shorewall - DropUPnP Macro
+# Shorewall -- /usr/share/shorewall/macro.DropUPnP
 #
-# /usr/share/shorewall/macro.DropUPnP
+# This macro silently drops UPnP probes on UDP port 1900
-#
-#	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?COMMENT UPnP
 

Shorewall/Macros/macro.Edonkey

@@ -1,34 +1,31 @@
 #
-# Shorewall - Edonkey Macro
+# Shorewall -- /usr/share/shorewall/macro.Edonkey
 #
-# /usr/share/shorewall/macro.Edonkey
+# This macro handles Edonkey traffic.
 #
-#	This macro handles Edonkey traffic.
+# http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
+# says to use udp 5737 rather than 4665.
 #
+# http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
 #
-#	http://www.portforward.com/english/routers/port_forwarding/2wire/1000s/eDonkey.htm
+# 4661 TCP (outgoing) Port, on which a server listens for connection
-#	says to use udp 5737 rather than 4665.
+# (defined by server).
 #
-#	http://www.amule.org/wiki/index.php/FAQ_ed2k says this:
+# 4665 UDP (outgoing) used for global server searches and global source
+# queries. This is always Server TCP port (in this case 4661) + 4.
 #
-#	4661 TCP (outgoing) Port, on which a server listens for connection
+# 4662 TCP (outgoing and incoming) Client to client transfers.
-#	(defined by server).
 #
-#	4665 UDP (outgoing) used for global server searches and global source
+# 4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
-#	queries. This is always Server TCP port (in this case 4661) + 4.
+# Rating, File Reask Ping
 #
-#	4662 TCP (outgoing and incoming) Client to client transfers.
+# 4711 TCP WebServer listening port.
 #
-#	4672 UDP (outgoing and incoming) Extended eMule protocol, Queue
+# 4712 TCP External Connection port. Used to communicate aMule with other
-#	Rating, File Reask Ping
+# applications such as aMule WebServer or aMuleCMD.
-#
-#	4711 TCP WebServer listening port.
-#
-#	4712 TCP External Connection port. Used to communicate aMule with other
-#	applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665

Shorewall/Macros/macro.FTP

@@ -1,13 +1,11 @@
 #
-# Shorewall - FTP Macro
+# Shorewall -- /usr/share/shorewall/macro.FTP
 #
-# /usr/share/shorewall/macro.FTP
+# This macro handles FTP traffic.
-#
-#	This macro handles FTP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
  PARAM	-	-	tcp	21 { helper=ftp }
 ?else

Shorewall/Macros/macro.Finger

@@ -1,12 +1,10 @@
 #
-# Shorewall - Finger Macro
+# Shorewall -- /usr/share/shorewall/macro.Finger
 #
-# /usr/share/shorewall/macro.Finger
+# This macro handles Finger protocol.
-#
+# You should not generally open your finger information to internet.
-#	This macro handles Finger protocol. You should not generally open
-#	your finger information to internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	79

Shorewall/Macros/macro.GNUnet

@@ -1,13 +1,11 @@
 #
-# Shorewall - GNUnet Macro
+# Shorewall -- /usr/share/shorewall/macro.GNUnet
 #
-# /usr/share/shorewall/macro.GNUnet
+# This macro handles GNUnet (secure peer-to-peer networking) traffic.
-#
-#	This macro handles GNUnet (secure peer-to-peer networking) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	2086
 PARAM	-	-	udp	2086
 PARAM	-	-	tcp	1080

Shorewall/Macros/macro.GRE

@@ -1,13 +1,10 @@
 #
-# Shorewall - GRE Macro
+# Shorewall -- /usr/share/shorewall/macro.GRE
 #
-# /usr/share/shorewall/macro.GRE
+# This macro (bidirectional) handles Generic Routing Encapsulation (GRE).
-#
-#	This macro (bi-directional) handles Generic Routing Encapsulation
-#	traffic (RFC 1701)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE

Shorewall/Macros/macro.Git

@@ -1,11 +1,9 @@
 #
-# Shorewall - Git Macro
+# Shorewall -- /usr/share/shorewall/macro.Git
 #
-# /usr/share/shorewall/macro.Git
+# This macro handles Git traffic.
-#
-#	This macro handles Git traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	9418

Shorewall/Macros/macro.Gnutella

@@ -1,12 +1,10 @@
 #
-# Shorewall - Gnutella Macro
+# Shorewall -- /usr/share/shorewall/macro.Gnutella
 #
-# /usr/share/shorewall/macro.Gnutella
+# This macro handles Gnutella traffic.
-#
-#	This macro handles Gnutella traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346

Shorewall/Macros/macro.Goto-Meeting

@@ -1,12 +1,11 @@
 #
-# Shorewall - Citrix/Goto Meeting macro
+# Shorewall -- /usr/share/shorewall/macro.Goto-Meeting
 #
-# /usr/share/shorewall/macro.Goto-Meeting
+# This macro handles Citrix/Goto Meeting.
-#          by Eric Teeter
+#
-#       This macro handles Citrix/Goto Meeting
+###############################################################################
-#       Assumes that ports 80 and 443 are already open
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#       If needed, use the macros that open Http and Https to reduce redundancy
+
-####################################################################################
+PARAM      -    -       tcp     8200    # Goto Meeting only needed outbound
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+HTTP
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+HTTPS
-PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)

Shorewall/Macros/macro.HKP

@@ -1,11 +1,9 @@
 #
-# Shorewall - HKP Macro
+# Shorewall -- /usr/share/shorewall/macro.HKP
 #
-# /usr/share/shorewall/macro.HKP
+# This macro handles OpenPGP HTTP keyserver protocol traffic.
-#
-#	This macro handles OpenPGP HTTP keyserver protocol traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	11371

Shorewall/Macros/macro.HTTP

@@ -1,11 +1,9 @@
 #
-# Shorewall - HTTP Macro
+# Shorewall -- /usr/share/shorewall/macro.HTTP
 #
-# /usr/share/shorewall/macro.HTTP
+# This macro handles plaintext HTTP (WWW) traffic.
-#
-#	This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	80

Shorewall/Macros/macro.HTTPS

@@ -1,11 +1,9 @@
 #
-# Shorewall - HTTPS Macro
+# Shorewall -- /usr/share/shorewall/macro.HTTPS
 #
-# /usr/share/shorewall/macro.HTTPS
+# This macro handles HTTPS (WWW over TLS) traffic.
-#
-#	This macro handles HTTPS (WWW over SSL) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	443

Shorewall/Macros/macro.ICPV2

@@ -1,11 +1,9 @@
 #
-# Shorewall - ICPV2 Macro
+# Shorewall - /usr/share/shorewall/macro.ICPV2
 #
-# /usr/share/shorewall/macro.ICPV2
+# This macro handles Internet Cache Protocol V2 (Squid) traffic.
-#
-#	This macro handles Internet Cache Protocol V2 (Squid) traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	3130

Shorewall/Macros/macro.ICQ

@@ -1,11 +1,9 @@
 #
-# Shorewall - ICQ Macro
+# Shorewall -- /usr/share/shorewall/macro.ICQ
 #
-# /usr/share/shorewall/macro.ICQ
+# This macro handles ICQ, now called AOL Instant Messenger (or AIM).
-#
-#	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	5190

Shorewall/Macros/macro.ILO

@@ -1,15 +1,13 @@
 #
-# Shorewall - ILO Macro
+# Shorewall -- /usr/share/shorewall/macro.ILO
 #
-# /usr/share/shorewall/macro.ILO
+# This macro handles console redirection with HP ILO 2+,
-#
+# Use this macro to open access to your ILO interface from management
-#	This macro handles console redirection with HP ILO 2+,
+# workstations.
-#	Use this macro to open access to your ILO interface from management
-#	workstations.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media

Shorewall/Macros/macro.IMAP

@@ -1,12 +1,10 @@
 #
-# Shorewall - IMAP Macro
+# Shorewall -- /usr/share/shorewall/macro.IMAP
 #
-# /usr/share/shorewall/macro.IMAP
+# This macro handles plaintext and STARTTLS IMAP traffic.
-#
+# For SSL (TLS) IMAP, see macro.IMAPS.
-#	This macro handles plaintext IMAP traffic.  For encrypted IMAP,
-#	see macro.IMAPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	143

Shorewall/Macros/macro.IMAPS

@@ -1,12 +1,11 @@
 #
-# Shorewall - IMAPS Macro
+# Shorewall -- /usr/share/shorewall/macro.IMAPS
 #
-# /usr/share/shorewall/macro.IMAPS
+# This macro handles SSL (TLS) IMAP traffic.
-#
+# For plaintext (not recommended) and STARTLS (recommended) IMAP see
-#	This macro handles encrypted IMAP traffic.  For plaintext IMAP
+# macro.IMAP.
-#	(not recommended), see macro.IMAP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	993

Shorewall/Macros/macro.IPIP

@@ -1,12 +1,10 @@
 #
-# Shorewall - IPIP Macro
+# Shorewall -- /usr/share/shorewall/macro.IPIP
 #
-# /usr/share/shorewall/macro.IPIP
+# This macro (bidirectional) handles IPIP capsulation traffic
-#
-#	This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP

Shorewall/Macros/macro.IPMI

@@ -1,16 +1,15 @@
 #
-# Shorewall - IPMI Macro
+# Shorewall -- /usr/share/shorewall/macro.IPMI
 #
-# /usr/share/shorewall/macro.IPMI
+# This macro handles IPMI console redirection with RMCP protocol.
-#
+# Tested to work with with Asus (AMI),
-#	This macro handles IPMI console redirection with Asus (AMI),
+# Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
-#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+# Use this macro to open access to your IPMI interface from management
-#	Use this macro to open access to your IPMI interface from management
+# workstations.
-#	workstations.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)

Shorewall/Macros/macro.IPP

@@ -1,11 +1,9 @@
 #
-# Shorewall - IPP Macro
+# Shorewall -- /usr/share/shorewall/macro.IPP
 #
-# /usr/share/shorewall/macro.IPP
+# This macro handles Internet Printing Protocol (IPP).
-#
-#	This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	631

Shorewall/Macros/macro.IPPbrd

@@ -1,13 +1,11 @@
 #
-# Shorewall - IPP Broadcast Macro
+# Shorewall -- /usr/share/shorewall/macro.IPPbrd
 #
-# /usr/share/shorewall/macro.IPPbrd
+# This macro handles Internet Printing Protocol (IPP) broadcasts.
-#
+# If you also need to handle TCP 631 connections in the opposite
-#	This macro handles Internet Printing Protocol (IPP) broadcasts.
+# direction, use the IPPserver Macro
-#       If you also need to handle TCP 631 connections in the opposite
-#       direction, use the IPPserver Macro
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	631

Shorewall/Macros/macro.IPPserver

@@ -1,29 +1,28 @@
 #
-# Shorewall - IPPserver Macro
+# Shorewall -- /usr/share/shorewall/macro.IPPserver
 #
-# /usr/share/shorewall/macro.IPPserver
+# This macro handles Internet Printing Protocol (IPP), indicating
+# that DEST is a printing server for SOURCE.  The macro allows
+# print queue broadcasts from the server to the client, and
+# printing connections from the client to the server.
 #
-#	This macro handles Internet Printing Protocol (IPP), indicating
+# Example usage on a single-interface firewall which is a print client:
-#	that DEST is a printing server for SOURCE.  The macro allows
-#	print queue broadcasts from the server to the client, and
-#	printing connections from the client to the server.
 #
-#	Example usage on a single-interface firewall which is a print
+#	IPPserver(ACCEPT)	$FW	net
-#	client:
-#		IPPserver/ACCEPT $FW net
 #
-#	Example for a two-interface firewall which acts as a print
+# Example for a two-interface firewall which acts as a print server for loc:
-#	server for loc:
-#		IPPserver/ACCEPT loc $FW
 #
-#	NOTE: If you want both to serve requests for local printers and
+#	IPPserver(ACCEPT)	loc	$FW
-#	listen to requests for remote printers (i.e. your CUPS server is
+#
-#	also a client), you need to apply the rule twice, e.g.
+# NOTE: If you want both to serve requests for local printers and listen to
-#		IPPserver/ACCEPT loc $FW
+# requests for remote printers (i.e. your CUPS server is also a client),
-#		IPPserver/ACCEPT $FW loc
+# you need to apply the rule twice, e.g.
+#
+#	IPPserver(ACCEPT)	loc	$FW
+#	IPPserver(ACCEPT)	$FW	loc
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631

Shorewall/Macros/macro.IPsec

@@ -1,13 +1,11 @@
 #
-# Shorewall - IPsec Macro
+# Shorewall -- /usr/share/shorewall/macro.IPsec
 #
-# /usr/share/shorewall/macro.IPsec
+# This macro (bidirectional) handles IPsec traffic
-#
-#	This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE

Shorewall/Macros/macro.IPsecah

@@ -1,14 +1,12 @@
 #
-# Shorewall - IPsecah Macro
+# Shorewall -- /usr/share/shorewall/macro.IPsecah
 #
-# /usr/share/shorewall/macro.IPsecah
+# This macro (bidirectional) handles IPsec authentication (AH) traffic.
-#
+# This is insecure. You should use ESP with encryption for security.
-#	This macro (bidirectional) handles IPsec authentication (AH) traffic.
-#       This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE

Shorewall/Macros/macro.IPsecnat

@@ -1,13 +1,11 @@
 #
-# Shorewall - IPsecnat Macro
+# Shorewall -- /usr/share/shorewall/macro.IPsecnat
 #
-# /usr/share/shorewall/macro.IPsecnat
+# This macro (bidirectional) handles IPsec traffic and Nat-Traversal
-#
-#	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP

Shorewall/Macros/macro.IRC

@@ -1,13 +1,10 @@
 #
-# Shorewall IRC Macro
+# Shorewall -- /usr/share/shorewall/macro.IRC
 #
-# /usr/share/shorewall/macro.IRC
+# This macro handles IRC traffic (Internet Relay Chat).
-#
-#	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
  PARAM	-	-	tcp	6667 { helper=irc }

Shorewall/Macros/macro.JAP

@@ -1,17 +1,14 @@
 #
-# Shorewall - JAP Macro
+# Shorewall -- /usr/share/shorewall/macro.JAP
 #
-# /usr/share/shorewall/macro.JAP
+# This macro handles JAP Anon Proxy Mix server traffic.
-#
+# It is NOT for people trying to browse anonymously!
-#	This macro handles JAP Anon Proxy traffic.  This macro is for
-#	administrators running a Mix server.  It is NOT for people trying
-#	to browse anonymously!
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
-HTTPS(PARAM)
+HTTPS
-SSH(PARAM)
+SSH

Shorewall/Macros/macro.Jabber

@@ -1,11 +1,9 @@
 #
-# Shorewall - Jabber Macro
+# Shorewall -- /usr/share/shorewall/macro.Jabber
 #
-# /usr/share/shorewall/macro.Jabber
+# This macro handles Jabber traffic.
-#
-#	This macro accepts Jabber traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	5222

Shorewall/Macros/macro.JabberPlain

@@ -1,12 +1,9 @@
 #
-# Shorewall - JabberPlain Macro
+# Shorewall -- /usr/share/shorewall/macro.JabberPlain
 #
-# /usr/share/shorewall/macro.JabberPlain
+# This macro is deprecated - use of macro.Jabber instead is recommended.
-#
-#	This macro accepts Jabber traffic (plaintext). This macro is
-#	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 Jabber

Shorewall/Macros/macro.JabberSecure

@@ -1,13 +1,9 @@
 #
-# Shorewall - JabberSecure (SSL) Macro
+# Shorewall -- /usr/share/shorewall/macro.JabberSecure
 #
-# /usr/share/shorewall/macro.JabberSecure
+# This macro handles deprecated Jabber (SSL) traffic. Use STARTTLS instead.
-#
-#	This macro accepts Jabber traffic (SSL). Use of Jabber with SSL
-#	is deprecated, please configure Jabber with STARTTLS and use
-#	Jabber macro instead.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	5223

Shorewall/Macros/macro.Jabberd

@@ -1,11 +1,9 @@
 #
-# Shorewall - Jabberd (server intercommunication)
+# Shorewall -- /usr/share/shorewall/macro.Jabberd
 #
-# /usr/share/shorewall/macro.Jabberd
+# This macro handles Jabberd intercommunication traffic
-#
-#	This macro accepts Jabberd intercommunication traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	5269

Shorewall/Macros/macro.Jetdirect

@@ -1,11 +1,9 @@
 #
-# Shorewall - Jetdirect Macro
+# Shorewall -- /usr/share/shorewall/macro.Jetdirect
 #
-# /usr/share/shorewall/macro.Jetdirect
+# This macro handles HP Jetdirect printing.
-#
-#	This macro handles HP Jetdirect printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	9100

Shorewall/Macros/macro.Kerberos

@@ -1,12 +1,10 @@
 #
-# Shorewall - Kerberos Macro
+# Shorewall -- /usr/share/shorewall/macro.Kerberos
 #
-# /usr/share/shorewall/macro.Kerberos
+# This macro handles Kerberos traffic.
-#
-#	This macro handles Kerberos traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	88
 PARAM	-	-	udp	88

Shorewall/Macros/macro.L2TP

@@ -1,13 +1,11 @@
 #
-# Shorewall - L2TP Macro
+# Shorewall -- /usr/share/shorewall/macro.L2TP
 #
-# /usr/share/shorewall/macro.L2TP
+# This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic.
-#
+# (RFC 2661)
-#	This macro (bidirectional) handles Layer 2 Tunneling Protocol traffic
-#	(RFC 2661)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	1701	# L2TP
 PARAM	DEST	SOURCE	udp	1701	# L2TP

Shorewall/Macros/macro.LDAP

@@ -1,16 +1,14 @@
 #
-# Shorewall - LDAP Macro
+# Shorewall -- /usr/share/shorewall/macro.LDAP
 #
-# /usr/share/shorewall/macro.LDAP
+# This macro handles plaintext LDAP traffic. For encrypted LDAP
-#
+# traffic, see macro.LDAPS.  Use of LDAPS is recommended (and is
-#	This macro handles plaintext LDAP traffic.  For encrypted LDAP
+# required by some directory services) if you want to do user
-#	traffic, see macro.LDAPS.  Use of LDAPS is recommended (and is
+# authentication over LDAP.  Note that some LDAP implementations
-#	required by some directory services) if you want to do user
+# support initiating TLS connections via the plaintext LDAP port.
-#	authentication over LDAP.  Note that some LDAP implementations
+# Consult your LDAP server documentation for details.
-#	support initiating TLS connections via the plaintext LDAP port.
-#	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	389

Shorewall/Macros/macro.LDAPS

@@ -1,16 +1,14 @@
 #
-# Shorewall - LDAPS Macro
+# Shorewall -- /usr/share/shorewall/macro.LDAPS
 #
-# /usr/share/shorewall/macro.LDAPS
+# This macro handles encrypted LDAP traffic.  For plaintext LDAP
-#
+# traffic, see macro.LDAP.  Use of LDAPS is recommended (and is
-#	This macro handles encrypted LDAP traffic.  For plaintext LDAP
+# required by some directory services) if you want to do user
-#	traffic, see macro.LDAP.  Use of LDAPS is recommended (and is
+# authentication over LDAP.  Note that some LDAP implementations
-#	required by some directory services) if you want to do user
+# support initiating TLS connections via the plaintext LDAP port.
-#	authentication over LDAP.  Note that some LDAP implementations
+# Consult your LDAP server documentation for details.
-#	support initiating TLS connections via the plaintext LDAP port.
-#	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	636

Shorewall/Macros/macro.MSA

@@ -0,0 +1,9 @@
+#
+# Shorewall -- /usr/share/shorewall/macro.MSA
+#
+# This macro handles mail message submission agent (MSA) traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	tcp	587

Shorewall/Macros/macro.MSNP

@@ -1,11 +1,9 @@
 #
-# Shorewall - MSNP Macro
+# Shorewall - /usr/share/shorewall/macro.MSNP
 #
-# /usr/share/shorewall/macro.MSNP
+# This macro handles MSNP (MicroSoft Notification Protocol)
-#
-#	This macro handles MSNP (MicroSoft Notification Protocol)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	1863

Shorewall/Macros/macro.MSSQL

@@ -1,12 +1,10 @@
 #
-# Shorewall - MSSQL Macro
+# Shorewall -- /usr/share/shorewall/macro.MSSQL
 #
-# /usr/share/shorewall/macro.MSSQL
+# This macro handles MSSQL (Microsoft SQL Server)
-#
-#	This macro handles MSSQL (Microsoft SQL Server)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	1433
 PARAM	-	-	udp	1434

Shorewall/Macros/macro.Mail

@@ -1,19 +1,17 @@
 #
-# Shorewall - Mail Macro
+# Shorewall -- /usr/share/shorewall/macro.Mail
 #
-# /usr/share/shorewall/macro.Mail
+# This macro handles SMTP (email secure and insecure) traffic.
+# It's the aggregate of macro.SMTP, macro.SMTPS, macro.MSA.
 #
-#	This macro handles SMTP (email secure and insecure) traffic.
+# Note: This macro handles traffic between an MUA (Email client)
-#	It's the aggregate of macro.SMTP, macro.SMTPS, macro.Submission.
+# and an MTA (mail server) or between MTAs. It does not enable
-#
+# reading of email via POP3 or IMAP. For those you need to use
-#	Note: This macro handles traffic between an MUA (Email client)
+# the POP3 or IMAP macros.
-#	and an MTA (mail server) or between MTAs. It does not enable
-#	reading of email via POP3 or IMAP. For those you need to use
-#	the POP3 or IMAP macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
-PARAM	-	-	tcp	25
+SMTP
-PARAM	-	-	tcp	465
+SMTPS
-PARAM	-	-	tcp	587
+MSA

Shorewall/Macros/macro.MongoDB

@@ -1,11 +1,9 @@
 #
-# Shorewall - MongoDB Macro
+# Shorewall -- /usr/share/shorewall/macro.MongoDB
 #
-# /usr/share/shorewall/macro.MongoDB
+# This macro handles MongoDB Daemon/Router traffic.
-#
-#	This macro handles MongoDB Daemon/Router traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	27017

Shorewall/Macros/macro.Munin

@@ -1,11 +1,9 @@
 #
-# Shorewall - Munin Macro
+# Shorewall -- /usr/share/shorewall/macro.Munin
 #
-# /usr/share/shorewall/macro.Munin
+# This macro handles Munin networked resource monitoring traffic.
-#
-#	This macro handles Munin networked resource monitoring traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	4949

Shorewall/Macros/macro.MySQL

@@ -1,11 +1,9 @@
 #
-# Shorewall - MySQL Macro
+# Shorewall -- /usr/share/shorewall/macro.MySQL
 #
-# /usr/share/shorewall/macro.MySQL
+# This macro handles connections to the MySQL server.
-#
-#	This macro handles connections to the MySQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	3306

Shorewall/Macros/macro.NNTP

@@ -1,12 +1,10 @@
 #
-# Shorewall NNTP Macro
+# Shorewall -- /usr/share/shorewall/macro.NNTP
 #
-# /usr/share/shorewall/macro.NNTP
+# This macro handles plaintext NNTP traffic (Usenet).
-#
+# For encrypted NNTP, see macro.NNTPS.
-#	This macro handles plaintext NNTP traffic (Usenet).  For
-#	encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	119

Shorewall/Macros/macro.NNTPS

@@ -1,12 +1,10 @@
 #
-# Shorewall NNTPS Macro
+# Shorewall -- /usr/share/shorewall/macro.NNTPS
 #
-# /usr/share/shorewall/macro.NNTPS
+# This macro handles encrypted NNTP traffic (Usenet).
-#
+# For plaintext NNTP, see macro.NNTP.
-#	This macro handles encrypted NNTP traffic (Usenet).  For
-#	plaintext NNTP, see macro.NNTP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	563

Shorewall/Macros/macro.NTP

@@ -1,12 +1,10 @@
 #
-# Shorewall - NTP Macro
+# Shorewall -- /usr/share/shorewall/macro.NTP
 #
-# /usr/share/shorewall/macro.NTP
+# This macro handles NTP traffic.
-#
+# For broadcast NTP traffic, use NTPbrd Macro.
-#	This macro handles NTP traffic (ntpd).
-#	For broadcast NTP traffic, use NTPbrd Macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	123

Shorewall/Macros/macro.NTPbi

@@ -1,12 +1,10 @@
 #
-# Shorewall - NTPbi Macro
+# Shorewall -- /usr/share/shorewall/macro.NTPbi
 #
-# /usr/share/shorewall/macro.NTPbi
+# This macro handles  bi-directional NTP (for NTP peers).
-#
-#        This macro handles  bi-directional NTP (for NTP peers)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
-PARAM	-	-	udp	123
+NTP
-PARAM	DEST	SOURCE	udp	123
+NTP	DEST	SOURCE

Shorewall/Macros/macro.NTPbrd

@@ -1,17 +1,14 @@
 #
-# Shorewall - NTPbrd Macro
+# Shorewall -- /usr/share/shorewall/macro.NTPbrd
 #
-# /usr/share/shorewall/macro.NTPbrd
+# This macro handles NTP traffic including replies to Broadcast NTP traffic.
 #
-#	This macro handles NTP traffic (ntpd) including replies to Broadcast
+# It is recommended only to use this where the source host is trusted -
-#	NTP traffic.
+# otherwise it opens up a large hole in your firewall because
-#
+# Netfilter doesn't track connections for broadcast traffic.
-#	It is recommended only to use this where the source host is trusted -
-#	otherwise it opens up a large hole in your firewall because
-#	Netfilter doesn't track connections for broadcast traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
-PARAM	-		-		udp	123
+PARAM	-	-	udp	123
-PARAM	-		-		udp	1024:	123
+PARAM	-	-	udp	1024:	123

Shorewall/Macros/macro.OSPF

@@ -1,11 +1,9 @@
 #
-# Shorewall - OSPF Macro
+# Shorewall -- /usr/share/shorewall/macro.OSPF
 #
-# /usr/share/shorewall/macro.OSPF
+# This macro handles OSPF multicast traffic.
-#
-#	This macro handles OSPF multicast traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	89	# OSPF

Shorewall/Macros/macro.OpenVPN

@@ -1,11 +1,9 @@
 #
-# Shorewall - OpenVPN Macro
+# Shorewall -- /usr/share/shorewall/macro.OpenVPN
 #
-# /usr/share/shorewall/macro.OpenVPN Macro
+# This macro handles OpenVPN traffic.
-#
-#	This macro handles OpenVPN traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	1194

Shorewall/Macros/macro.PCA

@@ -1,12 +1,10 @@
 #
-# Shorewall - PCA Macro
+# Shorewall -- /usr/share/shorewall/macro.PCA
 #
-# /usr/share/shorewall/macro.PCA
+# This macro handles PCAnywere (tm) traffic.
-#
-#	This macro handles PCAnywere (tm)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	5632
 PARAM	-	-	tcp	5631

Shorewall/Macros/macro.POP3

@@ -1,12 +1,10 @@
 #
-# Shorewall - POP3 Macro
+# Shorewall -- /usr/share/shorewall/macro.POP3
 #
-# /usr/share/shorewall/macro.POP3
+# This macro handles plaintext POP3 traffic.
-#
+# For encrypted POP3, see macro.POP3S.
-#	This macro handles plaintext POP3 traffic.  For encrypted POP3,
-#	see macro.POP3S.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	110

Shorewall/Macros/macro.POP3S

@@ -1,12 +1,10 @@
 #
-# Shorewall - POP3S Macro
+# Shorewall -- /usr/share/shorewall/macro.POP3S
 #
-# /usr/share/shorewall/macro.POP3S
+# This macro handles encrypted POP3 traffic.
-#
+# For plaintext POP3, see macro.POP3.
-#	This macro handles encrypted POP3 traffic.  For plaintext POP3,
-#	see macro.POP3.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	995	# Secure POP3

Shorewall/Macros/macro.PPtP

@@ -1,15 +1,12 @@
 #
-# Shorewall - PPTP Macro
+# Shorewall -- /usr/share/shorewall/macro.PPtP Macro
 #
-# /usr/share/shorewall/macro.PPtP Macro
+# This macro handles PPTP traffic. NOTE: PPTP protocol is insecure.
-#
-#	This macro handles PPTP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
-PARAM	-	-	47
+GRE
-PARAM	DEST	SOURCE	47
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
  PARAM	-	-	tcp	1723 { helper=pptp }

Shorewall/Macros/macro.Ping

@@ -1,11 +1,9 @@
 #
-# Shorewall - Ping Macro
+# Shorewall -- /usr/share/shorewall/macro.Ping
 #
-# /usr/share/shorewall/macro.Ping
+# This macro handles ICMP 'ping' requests.
-#
-#	This macro handles 'ping' requests.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	icmp	8

Shorewall/Macros/macro.PostgreSQL

@@ -1,11 +1,9 @@
 #
-# Shorewall - PostgreSQL Macro
+# Shorewall -- /usr/share/shorewall/macro.PostgreSQL
 #
-# /usr/share/shorewall/macro.PostgreSQL
+# This macro handles connections to the PostgreSQL server.
-#
-#	This macro handles connections to the PostgreSQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	5432

Shorewall/Macros/macro.Printer

@@ -1,11 +1,9 @@
 #
-# Shorewall - Printer Macro
+# Shorewall -- /usr/share/shorewall/macro.Printer
 #
-# /usr/share/shorewall/macro.Printer
+# This macro handles Line Printer protocol printing.
-#
-#	This macro handles Line Printer protocol printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	515

Shorewall/Macros/macro.Puppet

@@ -1,12 +1,9 @@
 #
-# Shorewall - Puppet Macro
+# Shorewall -- /usr/share/shorewall/macro.Puppet
 #
-# /usr/share/shorewall/macro.Puppet
+# This macro handles client-to-server for the Puppet configuration management.
-#
-#	This macro handles client-to-server for the Puppet configuration
-#	management system.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	8140

Shorewall/Macros/macro.QUIC

@@ -1,11 +1,9 @@
 #
-# Shorewall - QUIC Macro
+# Shorewall -- /usr/share/shorewall/macro.QUIC
 #
-# /usr/share/shorewall/macro.QUIC
+# This macro handles QUIC (Quick UDP Internet Connections).
-#
-#	This macro handles QUIC (Quick UDP Internet Connections).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	80,443

Shorewall/Macros/macro.RDP

@@ -1,11 +1,9 @@
 #
-# Shorewall - RDP Macro
+# Shorewall -- /usr/share/shorewall/macro.RDP
 #
-# /usr/share/shorewall/macro.RDP
+# This macro handles Microsoft RDP (Remote Desktop) traffic.
-#
-#	This macro handles Microsoft RDP (Remote Desktop) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	3389

Shorewall/Macros/macro.RIPbi

@@ -1,12 +1,10 @@
 #
-# Shorewall - RIPbi Macro
+# Shorewall -- /usr/share/shorewall/macro.RIPbi
 #
-# /usr/share/shorewall/macro.RIPbi
+# This macro (bidirectional) handles Routing Information Protocol (RIP).
-#
-#        This macro handles RIP (Routing Information Protocol) - bidirectional
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	520
 PARAM	DEST	SOURCE	udp	520

Shorewall/Macros/macro.RNDC

@@ -1,11 +1,9 @@
 #
-# Shorewall - RNDC Macro
+# Shorewall -- /usr/share/shorewall/macro.RNDC
 #
-# /usr/share/shorewall/macro.RNDC
+# This macro handles BIND remote management protocol (RNDC) traffic.
-#
-#	This macro handles RNDC (BIND remote management protocol) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	953

Shorewall/Macros/macro.Razor

@@ -1,11 +1,9 @@
 #
-# Shorewall - Razor Macro
+# Shorewall -- /usr/share/shorewall/macro.Razor
 #
-# /usr/share/shorewall/macro.Razor
+# This macro handles traffic for the Razor Antispam System
-#
-#	This macro handles traffic for the Razor Antispam System
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 ACCEPT	-	-	tcp	2703

Shorewall/Macros/macro.Rdate

@@ -1,15 +1,13 @@
 #
-# Shorewall - Rdate Macro
+# Shorewall -- /usr/share/shorewall/macro.Rdate
 #
-# /usr/share/shorewall/macro.Rdate
+# This macro handles remote time retrieval (rdate).
-#
+# Unless you are supporting extremely old hardware or software,
-#	This macro handles remote time retrieval (rdate).
+# you shouldn't be using this. NTP is a superior alternative.
-#	Unless you are supporting extremely old hardware or software,
+# And even if you need to use rfc 868 Time protocol you should
-#	you shouldn't be using this.  NTP is a superior alternative.
+# use Time macro instead.
-#	And even if you need to use rfc 868 Time protocol you should
-#	use Time macro instead.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	37

Shorewall/Macros/macro.Redis

@@ -1,11 +1,9 @@
 #
-# Shorewall - Redis Macro
+# Shorewall -- /usr/share/shorewall/macro.Redis
 #
-# /usr/share/shorewall/macro.Redis
+# This macro handles Redis traffic.
-#
-#	This macro handles Redis traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	6379

Shorewall/Macros/macro.Reject

@@ -1,19 +1,15 @@
 #
-# Shorewall - Reject Macro
+# Shorewall -- /usr/share/shorewall/macro.Reject
 #
-# /usr/share/shorewall/macro.Reject
+# This macro generates the same rules as the Reject default action
+# It is used in place of action.Reject when USE_ACTIONS=No.
 #
-#	This macro generates the same rules as the Reject default action
+# Example:
-#	It is used in place of action.Reject when USE_ACTIONS=No.
-#
-#	Example:
-#
-#		Reject	loc	fw
 #
+#	Reject	loc	fw
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 #
 # Don't log 'auth' REJECT
 #

Shorewall/Macros/macro.Rfc1918

@@ -1,14 +1,10 @@
 #
-# Shorewall - Macro Template
+# Shorewall -- /usr/share/shorewall/macro.Rfc1918
 #
-# /usr/share/shorewall/macro.Rfc1918
+# This macro handles SOURCE or ORIGDEST address reserved by RFC 1918.
 #
-#	This macro handles pkts with a SOURCE or ORIGINAL DEST address
+###############################################################################
-#	reserved by RFC 1918
+#ACTION	SOURCE	DEST
-#
+
-#############################################################################################
+PARAM	SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16	DEST
-#ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+PARAM	SOURCE	DEST { origdest=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 }
-#						PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
-				DEST
-PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16

Shorewall/Macros/macro.Rsync

@@ -1,11 +1,9 @@
 #
-# Shorewall - Rsync Macro
+# Shorewall -- /usr/share/shorewall/macro.Rsync
 #
-# /usr/share/shorewall/macro.Rsync
+# This macro handles connections to the rsync server.
-#
-#	This macro handles connections to the rsync server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	873

Shorewall/Macros/macro.SANE

@@ -1,13 +1,10 @@
 #
-# Shorewall - SANE Macro
+# Shorewall -- /usr/share/shorewall/macro.SANE
 #
-# /usr/share/shorewall/macro.SANE
+# This macro handles SANE network scanning.
-#
-#	This macro handles SANE network scanning.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
  PARAM	-	-	tcp	6566 { helper=sane }
@@ -17,7 +14,8 @@
 
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
-# sane data connection.
+# sane data connection. If you need these, copy this file to /etc/shorewall
+# and remove comments from one of the entries below.
 #
 # If you don't have sane conntracking support you need to open whole dynamic
 # port range.

Shorewall/Macros/macro.SIP

@@ -1,13 +1,10 @@
 #
-# Shorewall - SIP Macro
+# Shorewall -- /usr/share/shorewall/macro.SIP
 #
-# /usr/share/shorewall/macro.SIP
+# This macro handles SIP traffic.
-#
-#	This macro handles SIP traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
  PARAM	-	-	udp	5060 { helper=sip }

Shorewall/Macros/macro.SMB

@@ -1,17 +1,15 @@
 #
-# Shorewall - SMB Macro
+# Shorewall -- /usr/share/shorewall/macro.SMB
 #
-# /usr/share/shorewall/macro.SMB
+# This macro handles Microsoft SMB traffic.
-#
+# You need to invoke this macro in both directions.
-#	This macro handles Microsoft SMB traffic. You need to invoke
+# Beware!  This rule opens a lot of ports, and could possibly be used to
-#	this macro in both directions.  Beware!  This rule opens a lot
+# compromise your firewall if not used with care. You should only allow SMB
-#	of ports, and could possibly be used to compromise your firewall
+# traffic between hosts you fully trust.
-#	if not used with care.  You should only allow SMB traffic
-#	between hosts you fully trust.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	udp	135,445
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )

Shorewall/Macros/macro.SMBBI

@@ -1,36 +1,14 @@
 #
-# Shorewall - SMB Bi-directional Macro
+# Shorewall -- /usr/share/shorewall/macro.SMBBI
 #
-# /usr/share/shorewall/macro.SMBBI
+# This macro (bidirectional) handles Microsoft SMB traffic.
 #
-#	This macro (bidirectional) handles Microsoft SMB traffic.
+# Beware! This macro opens a lot of ports, and could possibly be used
-#
+# to compromise your firewall if not used with care. You should only
-#	Beware!  This macro opens a lot of ports, and could possibly be used
+# allow SMB traffic between hosts you fully trust.
-#	to compromise your firewall if not used with care.  You should only
-#	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-PARAM	-	-	udp	135,445
 
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+SMB
- PARAM	-	-	udp	137 { helper=netbios-ns }
+SMB	DEST	SOURCE
- PARAM	-	-	udp	138:139
-?else
- PARAM	-	-	udp	137:139
-?endif
-
-PARAM	-	-	udp	1024:	137
-PARAM	-	-	tcp	135,139,445
-PARAM	DEST	SOURCE	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 { helper=netbios-ns }
- PARAM	DEST	SOURCE	udp	138:139
-?else
- PARAM	DEST	SOURCE	udp	137:139
-?endif
-
-PARAM	DEST	SOURCE	udp	1024:	137
-PARAM	DEST	SOURCE	tcp	135,139,445

Shorewall/Macros/macro.SMBswat

@@ -1,12 +1,9 @@
 #
-# Shorewall - SMBswat Macro
+# Shorewall -- /usr/share/shorewall/macro.SMBswat
 #
-# /usr/share/shorewall/macro.SMBswat
+# This macro handles connections to the Samba Web Administration Tool (SWAT).
-#
-#	This macro handles connections to the Samba Web Administration Tool
-#	(SWAT).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	901

Shorewall/Macros/macro.SMTP

@@ -1,19 +1,12 @@
 #
-# Shorewall - SMTP Macro
+# Shorewall -- /usr/share/shorewall/macro.SMTP
 #
-# /usr/share/shorewall/macro.SMTP
+# This macro handles SMTP (email) traffic.
-#
+# For deprecated SMTP encrypted over SSL (TLS), use macro.SMTPS.
-#	This macro handles plaintext SMTP (email) traffic.  For SMTP
+# Note that STARTTLS can be used over the standard STMP port, so the use of
-#	encrypted over SSL, use macro.SMTPS.  Note that STARTTLS can be
+# this macro doesn't necessarily imply the use of an insecure connection.
-#	used over the standard STMP port, so the use of this macro
-#	doesn't necessarily imply the use of an insecure connection.
-#
-#	Note: This macro handles traffic between an MUA (Email client)
-#	and an MTA (mail server) or between MTAs. It does not enable
-#	reading of email via POP3 or IMAP. For those you need to use
-#	the POP3 or IMAP macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	25

Shorewall/Macros/macro.SMTPS

@@ -1,16 +1,10 @@
 #
-# Shorewall - SMTPS Macro
+# Shorewall -- /usr/share/shorewall/macro.SMTPS
 #
-# /usr/share/shorewall/macro.SMTPS
+# This macro handles legacy SMTP over SSL (TLS) traffic.
-#
+# You should configure SMTP STARTTLS instead.
-#	This macro handles encrypted SMTPS (email) traffic.
-#
-#	Note: This macro handles traffic between an MUA (Email client)
-#	and an MTA (mail server) or between MTAs. It does not enable
-#	reading of email via POP3 or IMAP. For those you need to use
-#	the POP3(S) or IMAP(S) macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
 PARAM	-	-	tcp	465

Shorewall/Macros/macro.SNMP

@@ -1,15 +1,11 @@
 #
-# Shorewall - SNMP Macro
+# Shorewall -- /usr/share/shorewall/macro.SNMP
 #
-# /usr/share/shorewall/macro.SNMP
+# This macro handles SNMP traffic.
-#
+# Note: To allow SNMP Traps, use the SNMPTrap macro.
-#	This macro handles SNMP traffic.
-#
-#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
  PARAM	-	-  	udp     161 { helper=snmp }

Shorewall/Macros/macro.SNMPTrap

@@ -1,11 +1,9 @@
 #
-# Shorewall - SNMP Trap Macro
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
 #
-# /usr/share/shorewall/macro.SNMPtrap
+# This macro deprecated by SNMPtrap.
-#
-#	This macro handles SNMP traps.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+
-PARAM	-	-	udp	162
+SNMPtrap

Shorewall/Macros/macro.SNMPtrap

@@ -0,0 +1,9 @@
+#
+# Shorewall - /usr/share/shorewall/macro.SNMPtrap
+#
+# This macro handles SNMP traps.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
+
+PARAM	-	-	udp	162