typos; added white boldface to examples

ok deraadt@

5 files changed, 171 insertions, 129 deletions

diff --git a/sbin/pfctl/pfctl.8 b/sbin/pfctl/pfctl.8
index cf96d01339c..689b7d377c0 100644
--- a/sbin/pfctl/pfctl.8
+++ b/sbin/pfctl/pfctl.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: pfctl.8,v 1.70 2003/01/25 01:01:04 henning Exp $
+.\" $OpenBSD: pfctl.8,v 1.71 2003/01/28 10:40:21 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Kjell Wooding.  All rights reserved.
 .\"
@@ -32,6 +32,7 @@
 .Nd control the packet filter (PF) and network address translation (NAT) device
 .Sh SYNOPSIS
 .Nm pfctl
+.Bk -words
 .Op Fl AdehnNqrRvzO
 .Op Fl a Ar anchor[:ruleset]
 .Op Fl F Ar modifier
@@ -41,6 +42,7 @@
 .Op Fl x Ar level
 .Op Fl t Ar table
 .Op Fl T Ar command
+.Ek
 .Sh DESCRIPTION
 The
 .Nm
@@ -78,9 +80,9 @@ The packet filter does not itself forward packets between interfaces.
 Forwarding can be enabled by setting the
 .Xr sysctl 8
 variables
-.Li net.inet.ip.forwarding
+.Em net.inet.ip.forwarding
 and/or
-.Li net.inet6.ip6.forwarding ,
+.Em net.inet6.ip6.forwarding ,
 to 1. Set them permanently in
 .Xr sysctl.conf 5 .
 .Pp
@@ -144,13 +146,13 @@ A second
 .Fl k Ar host
 option may be specified, which will kill all the state entries
 from the first host to the second host.
-.Bd -literal
+.Bd -literal -offset indent
 Example:
-      Kill all of the state entries from host
-    # pfctl -k host
-
-      Kill all of the state entries from host1 to host2
-    # pfctl -k host1 -k host2
+Kill all of the state entries from host
+.Ic # pfctl -k host
+.Pp
+Kill all of the state entries from host1 to host2
+.Ic # pfctl -k host1 -k host2
 .Ed
 .It Fl h
 Help.
@@ -158,7 +160,7 @@ Help.
 Do not actually load rules, just parse them.
 .It Fl N
 Load only the NAT rules present in the rule file. Filter rules and options are
-ignored
+ignored.
 .It Fl q
 Only print errors and warnings.
 .It Fl r
@@ -177,8 +179,11 @@ Modifier names may be abbreviated:
 Show the currently loaded NAT rules.
 .It Fl s Ar queue
 Show the currently loaded queue rules.
-When used together with -v, per-queue statistics are also shown.
-When used together with -v -v,
+When used together with
+.Fl v ,
+per-queue statistics are also shown.
+When used together with
+.Fl v v ,
 .Nm
 will loop and show updated queue statistics every five seconds, including
 measured bandwidth and packets per second.
@@ -242,9 +247,10 @@ Clear all the statistics of a table.
 Load only the table definitions from pf.conf.
 Used in "pfctl -Tl -f pf.conf".
 .El
+.Pp
 For the
-.Ar add
-.Ar delete
+.Ar add ,
+.Ar delete ,
 .Ar replace
 and
 .Ar test
@@ -253,11 +259,14 @@ line and/or in an unformatted text file, using the
 .Fl f
 flag.
 #-starting comments are allowed in the text file.
-With theses commands, the
+With these commands, the
 .Fl v
-flag can also be used once or twice, in which case pfctl will print the
+flag can also be used once or twice, in which case
+.Nm pfctl
+will print the
 detailed result of the operation for each individual address, prefixed by
-one of the following letter:
+one of the following letters:
+.Pp
 .Bl -tag -width XXX -compact
 .It A
 The address/network has been added.
diff --git a/sbin/pflogd/pflogd.8 b/sbin/pflogd/pflogd.8
index ad7568b8472..60c986ca685 100644
--- a/sbin/pflogd/pflogd.8
+++ b/sbin/pflogd/pflogd.8
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pflogd.8,v 1.16 2002/11/09 00:57:20 fgsch Exp $
+.\"	$OpenBSD: pflogd.8,v 1.17 2003/01/28 10:40:21 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Can Erkin Acar.  All rights reserved.
 .\"
@@ -49,7 +49,7 @@ in
 .Xr tcpdump 8
 binary format.
 These logs can be reviewed later using the
-.Ar -r
+.Fl r
 option of
 .Xr tcpdump 8 ,
 hopefully offline in case there are bugs in the packet parsing code of
@@ -99,31 +99,36 @@ The default of 96 is adequate for IP, ICMP, TCP, and UDP headers but may
 truncate protocol information for other protocols.
 Other file parsers may desire a higher snaplen.
 .It Ar expression
-selects which packets will be dumped, using the regular language of
+Selects which packets will be dumped, using the regular language of
 .Xr tcpdump 8 .
 .El
 .Sh EXAMPLES
 Log specific tcp packets to a different log file with a large snaplen
 (useful with a log-all rule to dump complete sessions)
 .Bd -literal -offset indent
-# pflogd -s 1600 -f suspicious.log port 80 and host evilhost
+.Xo Ic # pflogd -s 1600 -f suspicious.log port 80\ 
+.Ic and host evilhost
+.Xc
 .Ed
 .Pp
 Display binary logs:
 .Bd -literal -offset indent
-# tcpdump -n -e -ttt -r /var/log/pflog
+.Ic # tcpdump -n -e -ttt -r /var/log/pflog
 .Ed
 .Pp
 Display the logs in real time (this does not interfere with the
 operation of pflogd):
 .Bd -literal -offset indent
-# tcpdump -n -e -ttt -i pflog0
+.Ic # tcpdump -n -e -ttt -i pflog0
 .Ed
 .Pp
 Tcpdump has been extended to to be able to filter on the pfloghdr
-structure defined in net/if_pflog.h.  Tcpdump can restrict the output
+structure defined in
+.Aq Ar net/if_pflog.h .
+Tcpdump can restrict the output
 to packets logged on a specified interface, a rule number, a reason,
 a direction, an ip family or an action.
+.Pp
 .Bl -tag -width "reason match " -compact
 .It ip
 Address family equals IPv4.
@@ -149,14 +154,17 @@ The direction was outbound.
 Display the logs in real time of inbound packets that were blocked on
 the wi0 interface:
 .Bd -literal -offset indent
-# tcpdump -n -e -ttt -i pflog0 inbound and action block and on wi0
+.Xo Ic # tcpdump -n -e -ttt -i pflog0 inbound\ 
+.Ic and action block and on wi0
+.Xc
 .Ed
 .Sh FILES
 .Bl -tag -width /var/run/pflogd.pid -compact
 .It Pa /var/run/pflogd.pid
-process ID of current
+Process ID of the currently running
+.Nm pflogd .
 .It Pa /var/log/pflog
-Default log file
+Default log file.
 .El
 .Sh SEE ALSO
 .Xr pcap 3 ,
diff --git a/share/man/man4/bpf.4 b/share/man/man4/bpf.4
index 0d52ea96651..b043e512fb5 100644
--- a/share/man/man4/bpf.4
+++ b/share/man/man4/bpf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: bpf.4,v 1.13 2002/06/29 23:30:07 naddy Exp $
+.\"	$OpenBSD: bpf.4,v 1.14 2003/01/28 10:40:20 jmc Exp $
 .\"     $NetBSD: bpf.4,v 1.7 1995/09/27 18:31:50 thorpej Exp $
 .\"
 .\" Copyright (c) 1990 The Regents of the University of California.
@@ -45,7 +45,7 @@ After opening the device, the file descriptor must be bound to a specific
 network interface with the
 .Dv BIOSETIF
 ioctl.
-A given interface can be shared between multiple listeners and the filter
+A given interface can be shared between multiple listeners, and the filter
 underlying each descriptor will see an identical packet stream.
 The total number of open files is limited to the value given in the kernel
 configuration; the example given in the
@@ -211,7 +211,7 @@ which must respond to messages in real time.
 The default for a new file is off.
 .It Dv BIOCSETF Pf ( Li "struct bpf_program" Ns No )
 Sets the filter program used by the kernel to discard uninteresting packets.
-An array of instructions and its length is passed in using the following
+An array of instructions and its length are passed in using the following
 structure:
 .Pp
 .Bd -literal -offset indent
@@ -223,7 +223,7 @@ struct bpf_program {
 .Pp
 The filter program is pointed to by the
 .Fa bf_insns
-field while its length in units of
+field, while its length in units of
 .Li struct bpf_insn
 is given by the
 .Fa bf_len
@@ -434,7 +434,7 @@ There are eight classes of instructions:
 and
 .Dv BPF_MISC .
 Various other mode and operator bits are logically OR'd into the class to
-given the actual instructions.
+give the actual instructions.
 The classes and modes are defined in
 .Aq Pa net/bpf.h .
 Below are the semantics for each defined
@@ -773,7 +773,7 @@ of packet to accept (i.e., they return the truncation amount).
 A return value of zero indicates that the packet should be ignored.
 The return value is either a constant
 .Pf ( Dv BPF_K )
-of the accumulator
+or the accumulator
 .Pf ( Dv BPF_A ) .
 .Pp
 .Bl -tag -width 32n -compact
diff --git a/share/man/man4/pf.4 b/share/man/man4/pf.4
index af7ecec4259..7004bcf9ee4 100644
--- a/share/man/man4/pf.4
+++ b/share/man/man4/pf.4
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: pf.4,v 1.27 2003/01/20 17:50:41 cedric Exp $
+.\"	$OpenBSD: pf.4,v 1.28 2003/01/28 10:40:20 jmc Exp $
 .\"
 .\" Copyright (C) 2001, Kjell Wooding.  All rights reserved.
 .\"
@@ -36,7 +36,9 @@
 .Cd "pseudo-device pf 1"
 .Sh DESCRIPTION
 Packet filtering takes place in the kernel.
-A pseudo-device, /dev/pf, allows userland processes to control the
+A pseudo-device,
+.Pa /dev/pf ,
+allows userland processes to control the
 behavior of the packet filter through an
 .Xr ioctl 2
 interface.
@@ -72,7 +74,7 @@ Starts the ALTQ bandwidth control system.
 Stops the ALTQ bandwidth control system.
 .It Dv DIOCBEGINADDRS  Fa "u_int32_t"
 Clears the buffer address pool
-and returns ticket for subsequent DIOCADDADDR, DIOCADDRULE and
+and returns a ticket for subsequent DIOCADDADDR, DIOCADDRULE and
 DIOCCHANGERULE calls.
 .It Dv DIOCADDADDR     Fa "struct pfioc_pooladdr"
 .Bd -literal
@@ -98,7 +100,7 @@ All other members of the structure are ignored.
 .It Dv DIOCBEGINRULES  Fa "u_int32_t"
 Clears the inactive ruleset for the type of rule indicated by
 .Va rule.action
-and returns ticket for subsequent
+and returns a ticket for subsequent
 DIOCADDRULE and DIOCCOMMITRULES calls.
 .It Dv DIOCADDRULE     Fa "struct pfioc_rule"
 .Bd -literal
@@ -136,7 +138,7 @@ Switch inactive to active filter ruleset.
 Requires
 .Va ticket .
 .It Dv DIOCBEGINALTQS  Fa "u_int32_t"
-Clears the inactive list of queues and returns ticket for subsequent
+Clears the inactive list of queues and returns a ticket for subsequent
 DIOCADDALTQ and DIOCCOMMITALTQS calls.
 .It Dv DIOCADDALTQ     Fa "struct pfioc_altq"
 Adds
@@ -406,7 +408,7 @@ On entry, pfrio_buffer[pfrio_size] contains a valid writeable buffer for
 pfr_table structures.
 On exit, pfrio_size contains the number of tables written into the buffer.
 If the buffer is too small, the kernel does not store anything but just
-return the required buffer size, without error.
+returns the required buffer size, without error.
 .It Dv DIOCRGETTSTATS Fa "struct pfioc_table"
 Like 
 .Dv DIOCRGETTABLES, but returns an array of pfr_tstats structures.
@@ -436,7 +438,7 @@ On entry, pfrio_table contains the table to clear.
 On exit, pfrio_ndel contains the number of addresses removed.
 .It Dv DIOCRADDADDRS Fa "struct pfioc_table"
 Add one or more addresses to a table.
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains the list of pfr_addr structures to add.
 On exit, pfrio_nadd contains the number of addresses effectively added.
 .Bd -literal
@@ -455,24 +457,24 @@ struct pfr_addr {
 .Ed
 .It Dv DIOCRDELADDRS Fa "struct pfioc_table"
 Delete one or more addresses from a table.
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains the list of pfr_addr structures to delete.
 On exit, pfrio_ndel contains the number of addresses effectively deleted.
 .It Dv DIOCRSETADDRS Fa "struct pfioc_table"
 Replace the content of a table by a new address list.
 This is the most complicated command, which uses all the structure members.
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains the new list of pfr_addr structures.
 In addition to that, if size2 is nonzero, pfrio_buffer[pfrio_size..pfrio_size2]
 must be a writeable buffer, into which the kernel can copy the addresses that
 have been deleted during the replace operation.
-On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contains the number of
+On exit, pfrio_ndel, pfrio_nadd and pfrio_nchange contain the number of
 addresses deleted, added and changed by the kernel. if pfrio_size2 was set on
 entry, pfrio_size2 will point to the size of the buffer used, exactly like
 .Dv DIOCRGETADDRS.
 .It Dv DIOCRGETADDRS Fa "struct pfioc_table"
 Get all the addresses of a table.
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains a valid writeable buffer for pfr_addr structures.
 On exit, pfrio_size contains the number of addresses written into the buffer.
 If the buffer was too small, the kernel does not store anything but just
@@ -492,14 +494,14 @@ struct pfr_astats {
 .Ed
 .It Dv DIOCRCLRASTATS Fa "struct pfioc_table"
 Clears the statistics of one or more addresses. 
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains a table of pfr_addr structures to clear.
 On exit, pfrio_nzero contains the number of addresses effectively cleared.
 .It Dv DIOCRTSTADDRS Fa "struct pfioc_table"
 Test if the given addresses match a table.
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains a table of pfr_addr structures to test.
-On exit, the kernel update the pfr_addr table by setting the pfra_fback
+On exit, the kernel updates the pfr_addr table by setting the pfra_fback
 member appropriately.
 .It Dv DIOCRSETTFLAGS Fa "struct pfioc_table"
 Change the
@@ -508,27 +510,27 @@ or
 .Va persist
 flag of a table. 
 On entry, pfrio_buffer[pfrio_size] contains a table of pfr_table structures,
-and pfrio_setflag contain the flags to add, while pfrio_clrflag the flags to
-remove.
-On exit, pfrio_nchange and pfrio_ndel contains the number of tables altered
-or deleted by the kernel. Yes, tables can be deleted if one remove the
+and pfrio_setflag contains the flags to add, while pfrio_clrflag contains the
+flags to remove.
+On exit, pfrio_nchange and pfrio_ndel contain the number of tables altered
+or deleted by the kernel. Yes, tables can be deleted if one removes the
 .Va persist
 flag of an unreferenced table.
 .It Dv DIOCRINABEGIN Fa "struct pfioc_table"
 Starts a transaction with the inactive set of tables. Cleans up any leftover
-from a previous aborted transaction, and returns a new ticket.
+from a previously aborted transaction, and returns a new ticket.
 On exit, pfrio_ndel contains the number of leftover table deleted, and
-pfrio_ticket contain a valid ticket to use for the following two IOCTLs.
+pfrio_ticket contains a valid ticket to use for the following two IOCTLs.
 .It Dv DIOCRINACOMMIT Fa "struct pfioc_table"
 Commit the inactive set of tables into the active set. While copying the
 addresses, do a best effort to keep statistics for addresses present before
 and after the commit.
 On entry, io->pfrio_ticket takes a valid ticket.
-On exit, io->pfrio_nadd and io->pfrio_nchange contains the number of tables
+On exit, io->pfrio_nadd and io->pfrio_nchange contain the number of tables
 added and altered by the commit operation.
 .It Dv DIOCRINADEFINE Fa "struct pfioc_table"
 Defines a table in the inactive set.
-On entry, pfrio_table contain the table id and pfrio_buffer[pfrio_size]
+On entry, pfrio_table contains the table id and pfrio_buffer[pfrio_size]
 contains the list of pfr_addr structures to put in the table. A valid ticket
 must also be supplied to pfrio_ticket.
 On exit, pfrio_nadd contains 0 if the table was already defined in the
@@ -600,8 +602,8 @@ main(int argc, char *argv[])
 }
 .Ed
 .Sh SEE ALSO
-.Xr bridge 4 ,
 .Xr ioctl 2 ,
+.Xr bridge 4 ,
 .Xr pflog 4 ,
 .Xr pfsync 4 ,
 .Xr pfctl 8
diff --git a/usr.sbin/authpf/authpf.8 b/usr.sbin/authpf/authpf.8
index 581ab81c86a..7ea42fd357d 100644
--- a/usr.sbin/authpf/authpf.8
+++ b/usr.sbin/authpf/authpf.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: authpf.8,v 1.20 2002/12/29 22:23:37 dhartmei Exp $
+.\" $OpenBSD: authpf.8,v 1.21 2003/01/28 10:40:20 jmc Exp $
 .\"
 .\" Copyright (c) 2002 Bob Beck (beck@openbsd.org>.  All rights reserved.
 .\"
@@ -50,7 +50,7 @@ different places.
 .Nm
 logs the successful start and end of a session to
 .Xr syslog 8 .
-This, combined with properly set up filter rules and secure switches
+This, combined with properly set up filter rules and secure switches,
 can be used to ensure users are held accountable for their network traffic.
 .Pp
 .Nm
@@ -70,8 +70,8 @@ On startup,
 retrieves the client's connecting IP address via the
 .Ev SSH_CLIENT
 environment variable and, after performing additional access checks,
-reads a template file to determine what filter and translation (if
-any) rules to add.
+reads a template file to determine what filter and translation rules
+(if any) to add.
 On session exit the same rules that were added at startup are removed.
 .Pp
 Each
@@ -93,10 +93,10 @@ in order to cause evaluation of any
 .Nm
 rules:
 .Bd -literal
-nat-anchor authpf
-rdr-anchor authpf
-binat-anchor authpf
-anchor authpf
+.Ic nat-anchor authpf
+.Ic rdr-anchor authpf
+.Ic binat-anchor authpf
+.Ic anchor authpf
 .Ed
 .Pp
 .Sh FILTER AND TRANSLATION RULES
@@ -106,7 +106,7 @@ use the same format described in
 .Xr pf.conf 5 .
 The only difference is that these rules may (and probably should) use
 the macro
-.Em user_ip
+.Em user_ip ,
 which is assigned the connecting ip address whenever
 .Nm
 is run.
@@ -147,7 +147,7 @@ file.
 If the file is empty or does not exist, defaults are used for all
 configuration options.
 The file consists of pairs of the form
-.Li name=value
+.Li name=value ,
 one per line.
 Currently, the allowed values are as follows:
 .Bl -tag -width Ds
@@ -211,10 +211,10 @@ to ensure the security of the session, and to ensure that the network
 through which users connect is secure.
 .Xr sshd 8
 should be configured to use the
-.Dv ClientAliveInterval
+.Ar ClientAliveInterval
 and
-.Dv ClientAliveCountMax
-parameters to ensure that an ssh session is terminated quickly if
+.Ar ClientAliveCountMax
+parameters to ensure that a ssh session is terminated quickly if
 it becomes unresponsive, or if arp or address spoofing is used to
 hijack the session.
 Note that TCP keepalives are not sufficient for
@@ -279,7 +279,7 @@ the file
 containing a message about why he has been banned from using the network.
 Once bob has done suitable penance, his access may be restored by moving or
 removing the file
-.Pa /etc/authpf/banned/bob.
+.Pa /etc/authpf/banned/bob .
 .Pp
 Now consider a workgroup containing alice, bob, carol and dave.
 They have a
@@ -311,21 +311,21 @@ To make that happen,
 .Xr login.conf 5
 should have entries that look something like this:
 .Bd -literal
-shell-default:shell=/bin/csh
-
-default:\\
-	...
-	:shell=/usr/sbin/authpf
-
-daemon:\\
-	...
-	:shell=/bin/csh:\\
-	:tc=default:
-
-staff:\\
-	...
-	:shell=/bin/csh:\\
-	:tc=default:
+.Ic shell-default:shell=/bin/csh
+.Pp
+.Ic default:\e
+.Ic \  \  \  \  ...
+.Ic \  \  \  \  :shell=/usr/sbin/authpf
+.Pp
+.Ic daemon:\e
+.Ic \  \  \  \  ...
+.Ic \  \  \  \  :shell=/bin/csh:\e
+.Ic \  \  \  \  :tc=default:
+.Pp
+.Ic staff:\e
+.Ic \  \  \  \  ...
+.Ic \  \  \  \  :shell=/bin/csh:\e
+.Ic \  \  \  \  :tc=default:
 .Ed
 .Pp
 Using a default password file, all users will get
@@ -337,10 +337,10 @@ as their shell except for root who will get
 .Xr sshd 8
 must be properly configured to detect and defeat network attacks.
 To that end, the following options should be added to
-.Pa sshd_config :
+.Xr sshd_config 5 :
 .Bd -literal
-ClientAliveInterval 15
-ClientAliveCountMax 3
+.Ic ClientAliveInterval 15
+.Ic ClientAliveCountMax 3
 .Ed
 .Pp
 This ensures that unresponsive or spoofed sessions are terminated within a
@@ -348,27 +348,35 @@ minute, since a hijacker should not be able to spoof ssh keepalive messages.
 .Pp
 .Pp
 \fBBanners\fP - Once authenticated, the user is shown the contents of
-.Pa /etc/authpf/authpf.message.
+.Pa /etc/authpf/authpf.message .
 This message may be a screen-full of the appropriate use policy, the contents
 of
 .Pa /etc/motd
 or something as simple as the following:
-.Bd -literal
-    This means you will be held accountable by the powers that be
-    for traffic originating from your machine, so please play nice.
+.Bd -literal -offset indent
+.Xo Ic This means you will be held accountable\ 
+.Ic by the powers that be
+.Xc
+.Xo Ic for traffic originating from your machine,\ 
+.Ic so please play nice.
+.Xc
 .Ed
 .Pp
 To tell the user where to go when the system is broken,
 .Pa /etc/authpf/authpf.problem
 could contain something like this:
-.Bd -literal
-    Sorry, there appears to be some system problem. To report this
-    problem so we can fix it, please phone 1-900-314-1597 or send
-    an email to remove@bulkmailerz.net.
+.Bd -literal -offset indent
+.Xo Ic Sorry, there appears to be some system\ 
+.Ic problem. To report this
+.Xc
+.Xo Ic problem so we can fix it, please\ 
+.Ic phone 1-900-314-1597 or send
+.Xc
+.Ic an email to remove@bulkmailerz.net.
 .Ed
 .Pp
 \fBPacket Filter Rules\fP - In areas where this gateway is used to protect a
-wireless network (a hub with several hundred ports) the default rule set as
+wireless network (a hub with several hundred ports), the default rule set as
 well as the per-user rules should probably allow very few things beyond
 encrypted protocols like
 .Xr ssh 1 ,
@@ -386,30 +394,36 @@ Example
 .Bd -literal
 # by default we allow internal clients to talk to us using
 # ssh and use us as a dns server.
-internal_if="fxp1"
-gateway_addr="10.0.1.1"
-nat-anchor authpf
-rdr-anchor authpf
-binat-anchor authpf
-block in on $internal_if from any to any
-pass in quick on $internal_if proto tcp from any to $gateway_addr \\
- port = ssh
-pass in quick on $internal_if proto udp from any to $gateway_addr \\
- port = domain
-anchor authpf
+.Ic internal_if=\&"fxp1\&"
+.Ic gateway_addr=\&"10.0.1.1\&"
+.Ic nat-anchor authpf
+.Ic rdr-anchor authpf
+.Ic binat-anchor authpf
+.Ic block in on $internal_if from any to any
+.Xo Ic pass in quick on $internal_if proto tcp\ 
+.Ic from any to $gateway_addr \e
+.Xc
+.Ic \  \  port = ssh
+.Xo Ic pass in quick on $internal_if proto udp\ 
+.Ic from any to $gateway_addr \e
+.Xc
+.Ic \  \  port = domain
+.Ic anchor authpf
 .Ed
 .Pp
 Example
 .Pa /etc/authpf/authpf.rules :
 .Bd -literal
 # no real restrictions here, basically turn the network jack off or on.
-
-external_if = "xl0"
-internal_if = "fxp0"
-
-pass in log quick on $internal_if proto tcp from $user_ip to any \\
- keep state
-pass in quick on $internal_if from $user_ip to any
+.Pp
+.Ic external_if = \&"xl0\&"
+.Ic internal_if = \&"fxp0\&"
+.Pp
+.Xo Ic pass in log quick on $internal_if proto\ 
+.Ic tcp from $user_ip to any \e
+.Xc
+.Ic \  \  keep state
+.Ic pass in quick on $internal_if from $user_ip to any
 .Ed
 .Pp
 Another example
@@ -417,22 +431,30 @@ Another example
 for an insecure network (such as a public wireless network) where
 we might need to be a bit more restrictive.
 .Bd -literal
-internal_if="fxp1"
-ipsec_gw="10.2.3.4"
-
+.Ic internal_if=\&"fxp1\&"
+.Ic ipsec_gw=\&"10.2.3.4\&"
+.Pp
 # rdr ftp for proxying by ftp-proxy(8)
-rdr on $internal_if proto tcp from $user_ip to any port 21 \\
- -> 127.0.0.1 port 8081
-
+.Xo Ic rdr on $internal_if proto tcp from\ 
+.Ic $user_ip to any port 21 \e
+.Xc
+.Ic \  \  -> 127.0.0.1 port 8081
+.Pp
 # allow out ftp, ssh, www and https only, and allow user to negotiate
 # ipsec with the ipsec server.
-pass in log quick on $internal_if proto tcp from $user_ip to any \\
- port { 21, 22, 80, 443 } flags S/SA
-pass in quick on $internal_if proto tcp from $user_ip to any \\
- port { 21, 22, 80, 443 }
-pass in quick proto udp from $user_ip to $ipsec_gw port = isakmp \\
- keep state
-pass in quick proto esp from $user_ip to $ipsec_gw
+.Xo Ic pass in log quick on $internal_if\ 
+.Ic proto tcp from $user_ip to any \e
+.Xc
+.Ic \  \  port { 21, 22, 80, 443 } flags S/SA
+.Xo Ic pass in quick on $internal_if proto\ 
+.Ic tcp from $user_ip to any \e
+.Xc
+.Ic \  \  port { 21, 22, 80, 443 }
+.Xo Ic pass in quick proto udp from $user_ip\ 
+.Ic to $ipsec_gw port = isakmp \e
+.Xc
+.Ic \  \  keep state
+.Ic pass in quick proto esp from $user_ip to $ipsec_gw
 .Ed
 .Sh FILES
 .Bl -tag -width "/etc/authpf/authpf.conf" -compact
@@ -455,7 +477,8 @@ The authenticating
 .Xr ssh 1
 connection may be secured, but if the network is not secured the user may
 expose insecure protocols to attackers on the same network, or enable other
-attackers on network to pretend to be the user by spoofing their IP address.
+attackers on the network to pretend to be the user by spoofing their IP
+address.
 .Pp
 .Nm
 is not designed to prevent users from denying service to other users.