Improve "Building the Rule Script" section by adding description of

converting script to rule list (the example already contain this way,
but it was not described).

en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml

@@ -836,12 +836,15 @@ myip="192.0.2.7"     # my static IP address from ISP
 ks="keep state"
 fks="flags S keep state"
 
-# You can use this same to build the /etc/ipf.rules file
+# You can chose between building /etc/ipf.rules file
-#cat >> /etc/ipf.rules << EOF
+# from this script or running this script "as is".
-
+#
-# exec ipf command and read inline data, stop reading
+# Uncomment only one line and comment out another.
-# when word EOF is found. There has to be one line
+#
-# after the EOF line to work correctly.
+# 1) This can be used for building /etc/ipf.rules:
+#cat > /etc/ipf.rules << EOF
+#
+# 2) This can be used to run script "as is":
 /sbin/ipf -Fa -f - << EOF
 
 # Allow out access to my ISP's Domain name server.
@@ -866,32 +869,46 @@ EOF
          </programlisting>
 
        <para>There is one problem with using a rules file with embedded
-         symbolics. IPF has no problem with it, but the rc startup
+	 symbolics.  IPF do not understand symbolic substitution, and
-         scripts that read <filename>rc.conf</filename> will have
+	 can not read such scripts directly.</para>
-         problems.</para>
 
-       <para>To get around this limitation with a rc script, remove
+      <para>This script can be used in one of two ways:</para>
-         the following line from <filename>/etc/rc.conf</filename>:</para>
 
-       <programlisting><command>ipfilter_rules=</command>
+      <itemizedlist>
-         </programlisting>
+        <listitem>
+	  <para>Uncomment line that begins from <command>cat</command>
+	    and comment out line that begins from
+	    <filename>/sbin/ipf</filename>.  Place
+	    <literal>ipfilter_enable="YES"</literal> into
+	    <filename>/etc/rc.conf</filename> as usual, and run
+	    script once after each modification to create or update
+	    <filename>/etc/ipf.rules</filename>.</para>
+	</listitem>
 
-       <para>Add a script like the following to your <filename>
+	<listitem>
-         /usr/local/etc/rc.d/</filename> startup directory. The script
+	  <para>Disable IPFILTER in system startup scripts by
-         should have an obvious name like <filename>loadipfrules.sh</filename>.
+	    adding <literal>ipfilter_enable="NO"</literal> (this is
-         The <filename>.sh</filename> extension is mandatory.</para>
+	    default value) into
+	    <filename>/etc/rc.conf</filename> file.</para>
 
-       <programlisting>#!/bin/sh
+	  <para>Add a script like the following to your
+	    <filename>/usr/local/etc/rc.d/</filename> startup
+	    directory.  The script should have an obvious name like
+	    <filename>ipf.loadrules.sh</filename>.
+	    The <filename>.sh</filename> extension is mandatory.</para>
+
+	  <programlisting>#!/bin/sh
 sh /etc/ipf.rules.script</programlisting>
 
-       <para>The permissions on this script file must be read, write,
+	  <para>The permissions on this script file must be read, write,
-         execute for owner <username>root</username>.</para>
+	    execute for owner <username>root</username>.</para>
 
-       <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
+	  <programlisting><command>chmod 700 /usr/local/etc/rc.d/ipf.loadrules.sh</command></programlisting>
-
+	</listitem>
-       <para>Now, when your system boots your IPF rules will be loaded
+      </itemizedlist>
-         using the script.</para>
 
+	<para>Now, when your system boots your IPF rules will be
+	  loaded.</para>
      </sect2>
 
      <sect2>