backport (cosmetic) changes from wiki-ng

2024-11-27 11:23:37 +01:00 · 2023-04-08 22:08:13 +02:00 · 2023-04-08 22:08:13 +02:00 · 37d7831fd4
commit 37d7831fd4
parent 4c127e7c98
46 changed files with 961 additions and 824 deletions
--- a/Other.md
+++ b/Other.md
@ -19,7 +19,7 @@
 - **RetroShare** can be run as a darknet (friend-to-friend) by default to perform anonymous file transfers if DHT and Discovery features are disabled.
 - **GNUnet** is a darknet if the "F2F (network) topology" option is enabled.
 - **Syndie** is software used to publish distributed forums over the anonymous networks of I2P, Tor and Freenet.
-OneSwarm can be run as a darknet for friend-to-friend file-sharing.
+- OneSwarm can be run as a darknet for friend-to-friend file-sharing.
 - **Tribler** can be run as a darknet for file-sharing.
 ## BGP Routed IP
--- a/howto/Bird.md
+++ b/howto/Bird.md
@ -26,7 +26,7 @@ Note: This file covers the configuration of Bird 1.x. For an example configurati
 ## IPv6
-```
+```conf
 #/etc/bird/bird6.conf
 protocol device {
  scan time 10;
@ -96,7 +96,7 @@ template bgp dnpeers {
 include "/etc/bird/peers6/*";
 ```
-```
+```conf
 # /etc/bird/local6.conf
 # should be a unique identifier, use same id as for ipv4
 router id <GATEWAY_IP>;
@ -115,7 +115,7 @@ function is_valid_network() {
 }
 ```
-```
+```conf
 # /etc/bird/peers6/<PEER_NAME>
 protocol bgp <PEER_NAME> from dnpeers {
  neighbor <PEERING_IP> as <PEER_AS>;
@ -126,7 +126,7 @@ protocol bgp <PEER_NAME> from dnpeers {
 ### IPv4
-```
+```conf
 # /etc/bird/bird.conf
 # Device status
 protocol device {
@ -205,7 +205,7 @@ template bgp dnpeers {
 include "/etc/bird/peers4/*";
 ```
-```
+```conf
 #/etc/bird/local4.conf
 # should be a unique identifier, <GATEWAY_IP> is what most people use.
 router id <GATEWAY_IP>;
@ -232,7 +232,7 @@ function is_valid_network() {
 }
 ```
-```
+```conf
 # /etc/bird/peers4/<PEER_NAME>
 protocol bgp <PEER_NAME> from dnpeers {
  neighbor <PEERING_IP> as <PEER_AS>;
@ -276,27 +276,27 @@ ROA files generated by [roa_wizard](https://git.dn42.dev/Kioubit/roa_wizard) are
 You can add cron entries to periodically update the tables:
-```
+```conf
 */15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && chronic birdc6 configure
 */15 * * * * curl -sfSLR {-o,-z}/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && chronic birdc configure
 ```
 Debian version:
-```
+```conf
 */15 * * * * curl -sfSLR -o/var/lib/bird/bird6_roa_dn42.conf -z/var/lib/bird/bird6_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_6.conf && /usr/sbin/birdc6 configure
 */15 * * * * curl -sfSLR -o/var/lib/bird/bird_roa_dn42.conf -z/var/lib/bird/bird_roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird1_4.conf && /usr/sbin/birdc configure
 ```
 then create the directory to make sure curls can save the files:
-```
+```sh
 mkdir -p /var/lib/bird/
 ```
 Or use a systemd timer: (check the commands before copy-pasting)
-```
+```conf
 # /etc/systemd/system/dn42-roa.service
 [Unit]
 Description=Update DN42 ROA
@ -308,7 +308,7 @@ ExecStart=curl -sfSLR -o /etc/bird/roa_dn42_v6.conf -z /etc/bird/roa_dn42_v6.con
 ExecStart=birdc configure
 ```
-```
+```conf
 # /etc/systemd/system/dn42-roa.timer
 [Unit]
 Description=Update DN42 ROA periodically
@ -328,26 +328,28 @@ then enable and start the timer with `systemctl enable --now dn42-roa.timer`.
 * Download  gortr
-`https://github.com/cloudflare/gortr/releases`
+<https://github.com/cloudflare/gortr/releases>
 * Run gortr.
-```
+```sh
 ./gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
 ```
 * Run with docker
-`docker pull cloudflare/gortr`
+```sh
-
+docker pull cloudflare/gortr
 ```
 ```sh
 docker run --name dn42rpki -p 8282:8282 --restart=always -d cloudflare/gortr -verify=false -checktime=false -cache=https://dn42.burble.com/roa/dn42_roa_46.json
 ```
 * Add this to your bird configure file,other ROA protocol must removed.
-```
+```conf
 protocol rpki rpki_dn42{
  roa4 { table dn42_roa; };
  roa6 { table dn42_roa_v6; };
@ -364,7 +366,7 @@ protocol rpki rpki_dn42{
 In your import filter add the following to reject invalid routes:
-```
+```conf
 if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
   print "[dn42] ROA check failed for ", net, " ASN ", bgp_path.last;
   reject;
@ -373,7 +375,7 @@ if (roa_check(dn42_roa, net, bgp_path.last) != ROA_VALID) then {
 Also, define your ROA table with:
-```
+```conf
 roa table dn42_roa {
    include "/var/lib/bird/bird_roa_dn42.conf";
 };
@ -386,7 +388,7 @@ roa table dn42_roa {
 bird can be remote controlled via the `birdc` command. Here is a list of useful bird commands:
-```
+```sh
 $ birdc
 BIRD 1.4.5 ready.
 bird> configure # reload configuration
--- a/howto/Bird2.md
+++ b/howto/Bird2.md
@ -26,7 +26,7 @@ When copying the configuration below onto your system, you will have to enter th
 * The same goes for `<OWNNETv6>`, but it takes an IPv6 subnet (Who'd have thought).
 * Keep in mind that you'll have to enter both networks in the OWNNET{,v6} and OWNNETSET{,v6}, the two variables are required due to set parsing difficulties with variables.
-```
+```conf
 ################################################
 #               Variable header                #
 ################################################
@ -182,7 +182,7 @@ The example config above relies on ROA configuration files in `/etc/bird/roa_dn4
 To use an RTR server for ROA information, replace this config in your bird2 configuration file:
-```
+```conf
 protocol static {
    roa4 { table dn42_roa; };
    include "/etc/bird/roa_dn42.conf";
@ -196,7 +196,7 @@ protocol static {
 ... with this one (by changing address and port so it points to your RTR server)
-```
+```conf
 protocol rpki roa_dn42 {
        roa4 { table dn42_roa; };
        roa6 { table dn42_roa_v6; };
@ -228,7 +228,7 @@ Please note: This section assumes that you've already got a tunnel to your peeri
 First, make sure the /etc/bird/peers directory exists:
-```
+```sh
 # mkdir -p /etc/bird/peers
 ```
@ -246,4 +246,4 @@ protocol bgp <NEIGHBOR_NAME>_v6 from dnpeers {
 }
 ```
-Due to the special link local addresses of IPv6, an interface has to be specified using the %<if> syntax if a link local address is used (Which is recommended)
+Due to the special link local addresses of IPv6, an interface has to be specified using the `%<if>` syntax if a link local address is used (Which is recommended)
--- a/howto/EMail.md
+++ b/howto/EMail.md
@ -11,14 +11,14 @@ Running email in dn42 is not very complicated.  Your SMTP daemon probably alread
 | Handle       | Alias          | Redirection           |
 |:------------ |:-------------- |:--------------------- |
-| `STV0G-DN42` | stv0g@dn42.org | post@steffenvogel.de` |
+| `STV0G-DN42` | stv0g@dn42.org | `post@steffenvogel.de` |
 ## Test email
 ~~Send an email to `test@evenet.dn42` to check if your mail setup is correct.~~ This host will reply using the following
 sieve filter:
-```
+```conf
 require ["regex", "variables", "vacation-seconds"];
 if header :contains "To" ["test@evenet.dn42"] {
  if header :matches "Subject" "*" {
@ -41,31 +41,35 @@ This is controlled by the `ignore_target_hosts` variable in the configuration fi
 ### Receiving emails
 Don't forget to add your dn42 domains to the list of local domains, so that you accept incoming emails.  On Debian, it is controlled by `dc_other_hostnames` in `update-exim4.conf.conf`.  For instance:
-
+```conf
 dc_other_hostnames='myself.org;myself.dn42;myserver.myself.dn42'
-
+```
 ## Postfix
 ### Sending Mails
 If your machine sends/receives Mails in "clearnet" with specific bound IP's you need to create an additional transport in master.cf
 ```conf
 out_dn42  unix -       -       n       -       -       smtp
    -o smtp_bind_address=172.23.67.1
    -o smtp_bind_address6=fd70:96c9:ef25::1
    -o smtp_helo_name=ns1.mhm.dn42
    -o syslog_name=postfix-dn42
 ```
 and add this transport to /etc/postfix/transport for dn42 (and dont forget to postmap)
 ```
 .dn42           out_dn42:
 ```
 This should to the trick for sending mails via your DN42-IP
 If you use `smtpd_recipient_restrictions` you can use the following rule to white-list dn42 as sender.
 This can circumvent certain rdns configuration failure or in case you use rbl lists:
-```
+```conf
 smtpd_recipient_restrictions = permit_mynetworks,
                         permit_sasl_authenticated,
                         check_client_access cidr:/etc/postfix/dn42.cidr,
@ -74,14 +78,14 @@ smtpd_recipient_restrictions = permit_mynetworks,
                         permit
 ```
-```
+```conf
 #/etc/postfix/dn42.cidr
 172.16.0.0/12 OK
 10.0.0.0/8 OK
 fc00::/7 OK
 ```
-```
+```sh
 $ postmap /etc/postfix/dn42.cidr
 ```
--- a/howto/EdgeOS-Config-Example.md
+++ b/howto/EdgeOS-Config-Example.md
@ -20,7 +20,7 @@ Ask me if you want to know if I have implemented those items already.
 # Configuration
-```
+```conf
 firewall {
    all-ping enable
    broadcast-ping disable
--- a/howto/EdgeOS-GRE-IPsec-Example.md
+++ b/howto/EdgeOS-GRE-IPsec-Example.md
@ -12,16 +12,20 @@ This configuration assumes that both peers have static public IPs.
 You'll need to generate a public/private keypair for your router if you intend to use "plainrsa" authentication for your IPsec connections. The local public key listed in the output is what you'll send to your peer.
 ```sh
 ryan@edge1:~$ generate vpn rsa-key bits 4096
 ryan@edge1:~$ show vpn ike rsa-keys
 Local public key (/config/ipsec.d/rsa-keys/localhost.key):
 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
 ```
 If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY-----`), you'll need to convert it to the format used by EdgeOS (begins with `0s`) in order to insert it into the configuration. See [this forum post](http://community.ubnt.com/t5/EdgeMAX/ERL-lt-gt-Mikrotik-IPsec-Connections/m-p/534682#M13015) for a script to convert between the two key formats.
 ## Configuration
 ```conf
    firewall {
        all-ping enable
        broadcast-ping disable
@ -499,3 +503,4 @@ If your peer sends you a key in PEM format (starts with `-----BEGIN PUBLIC KEY--
            interface eth0
        }
    }
 ```
--- a/howto/GRE-on-FreeBSD.md
+++ b/howto/GRE-on-FreeBSD.md
@ -21,7 +21,7 @@ ifconfig gre$INDEX descr $DESCR
 Add this to your `rc.conf`.
-```
+```conf
 cloned_interfaces="$cloned_interfaces gre0"
 ifconfig_gre0="10.0.0.1 10.0.0.2 netmask 0xffffffff tunnel 1.2.3.4 5.6.7.8 descr foo"
 ```
--- a/howto/GRE-on-OpenBSD.md
+++ b/howto/GRE-on-OpenBSD.md
@ -9,7 +9,7 @@ Let `fd42::` and `fd42::1` be the IPs of *A* and *D* respectively where both are
 ## pseudo interface
 Populate [`/etc/hostname.gre0`](https://man.openbsd.org/hostname.if.5) with:
-```
+```conf
 tunnel A.example.com D.example.net
 inet6 fd42::/127
 ```
@ -21,7 +21,7 @@ Reboot or run [`sh /etc/netstart gre0`](https://man.openbsd.org/netstart.8) to b
 ## miscellaneous
 Populate `/etc/sysctl.conf` with:
-```
+```conf
 net.inet.gre.allow=1
 ```
 Reboot or run `sysctl net.inet.gre.allow=1` to allow GRE packet processing.
--- a/howto/Getting-Started.md
+++ b/howto/Getting-Started.md
@ -67,7 +67,7 @@ Common authentication methods are:
  - SSH Key: `auth: ssh-{rsa,ed25519} <key>`
 Example: data/mntner/FOO-MNT
-```
+```conf
 mntner:             FOO-MNT
 admin-c:            FOO-DN42
 tech-c:             FOO-DN42
@ -93,7 +93,7 @@ Contact attributes are optional but DN42 is a dynamic network and being able to
 Example: data/person/FOO-DN42
-```
+```conf
 person:             John Doe
 e-mail:             john.doe@example.com
 nic-hdl:            FOO-DN42
@ -116,7 +116,7 @@ If you intend to register resources for an organisation (e.g. your hackerspace),
 - don't forget to set `mnt-by` to `<FOO>-MNT`, since you're managing this object on behalf of your organisation.
 Example: data/organisation/ORG-EXAMPLE
-```
+```conf
 organisation:       ORG-FOO
 org-name:           Foo Organisation
 admin-c:            FOO-DN42
@ -153,7 +153,7 @@ Internet ASNs may be used, but you must take care to clearly separate Internet a
 If unsure, ask on the mailing list or IRC.
 Example: data/aut-num/AS4242423999
-```
+```conf
 aut-num:            AS4242423999
 as-name:            AS-FOO-DN42
 admin-c:            FOO-DN42
@ -179,7 +179,7 @@ A few websites can generate random ULA prefixes for you:
 or a small script is available: [ulagen.py](https://git.dn42.dev/netravnen/dn42-repo-utils/src/master/ulagen.py)
 example: data/inet6num/fd35:4992:6a6d::_48
-```
+```conf
 inet6num:           fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
 cidr:               fd35:4992:6a6d::/48
 netname:            FOO-NETWORK
@ -223,7 +223,7 @@ If you need a /24 or larger, please ask in the IRC chan or on the mailing list a
 **Note:** Reverse DNS works with _any_ prefix length, as long as your [recursive nameserver](/services/DNS) supports [RFC 2317](https://www.ietf.org/rfc/rfc2317.txt). Don't go for a /24 _just to have RDNS_.
 example: data/inetnum/172.20.150.0_27
-```
+```conf
 inetnum:            172.20.150.0 - 172.20.150.31
 cidr:               172.20.150.0/27
 netname:            FOO-NETWORK
@ -241,7 +241,7 @@ source:             DN42
 If you plan to announce your prefixes in dn42, which you probably want in most cases, you will also need to create a `route6` object for ipv6 prefixes and a `route` object for ipv4 prefixes. This information is used for Route Origin Authorization (ROA) checks. If you skip this step, your network will probably get filtered by most major peers.  Checking ROA will prevent (accidental) hijacking of other people's prefixes.
 example: data/route6/fd35:4992:6a6d::_48
-```
+```conf
 route6:             fd35:4992:6a6d::/48
 origin:             AS4242423999
 max-length:         48
@ -250,7 +250,7 @@ source:             DN42
 ```
 example data/route/172.20.150.0_27:
-```
+```conf
 route:              172.20.150.0/27
 origin:             AS4242423999
 max-length:         27
@ -266,7 +266,7 @@ To register a domain name, create a `dns` object in the data/dns directory.
 Domain names and nserver attributes must be lowercase.
 example: data/dns/foo.dn42
-```
+```conf
 domain:             foo.dn42
 admin-c:            FOO-DN42
 tech-c:             FOO-DN42
@ -280,13 +280,13 @@ source:             DN42
 You can also add DNSSEC delegations using `ds-rdata` attributes to your domain:
-```
+```conf
 ds-rdata:           61857 13 2 bd35e3efe3325d2029fb652e01604a48b677cc2f44226eeabee54b456c67680c
 ```
 For reverse DNS, add `nserver` attributes to you inet{,6}num objects:
-```
+```conf
 inet6num:           fd35:4992:6a6d:0000:0000:0000:0000:0000 - fd35:4992:6a6d:ffff:ffff:ffff:ffff:ffff
 cidr:               fd35:4992:6a6d::/48
 netname:            FOO-NETWORK
--- a/howto/IPsec-on-FreeBSD.md
+++ b/howto/IPsec-on-FreeBSD.md
@ -10,7 +10,7 @@ These instructions are for IPsec in transport mode not IPsec in tunnel mode. IPs
 ## Kernel configuration
 The FreeBSD GENERIC kernel lacks support for in-kernel IPsec processing. Add this two lines to your kernel config and (re-)build your own kernel.
 If you're new to FreeBSD check Chapters [15.9.1](http://www.freebsd.org/doc/handbook/ipsec.html) and [9](http://www.freebsd.org/doc/handbook/kernelconfig.html) of the FreeBSD handbook.
-```
+```conf
 options   IPSEC        #IP security
 device    crypto
 ```
@ -20,7 +20,7 @@ Reboot into your new kernel.
 Install the racoon daemon. It's included in the [security/ipsec-tools](http://www.freshports.org/security/ipsec-tools/) port.
 Racoon is pain in the ass to configure the first time because it's error messages aren't helping and the complexity of IPsec. Don't let this stop you.
-```
+```conf
 path    pre_shared_key  "/usr/local/etc/racoon/psk";
 path    certificate     "/usr/local/etc/racoon/certs";
 log     info;
--- a/howto/IPsecWithPublicKeys/CiscoIOSExample.md
+++ b/howto/IPsecWithPublicKeys/CiscoIOSExample.md
@ -5,20 +5,25 @@ _Note: You may already have completed this step, since it's required to enable S
 1. Configure a hostname and domain name.
 ```
 Router#conf t
 Router(config)#hostname foo
 foo(config)#ip domain-name bar
 ```
 2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
 ```
 foo(config)#crypto key generate rsa general-keys modulus 2048
 % The key modulus size is 2048 bits
 % Generating 2048 bit RSA keys, keys will be non-exportable...
 foo(config)#exit
 ```
 ### Exchange public keys with your peer
 1. Display the public key. Send the key data portion to your peer.
 ```
 foo#show crypto key mypubkey rsa foo.bar
 % Key pair was generated at: 19:24:02 UTC Jul 19 2014
 Key name: foo.bar
@ -36,6 +41,7 @@ _Note: You may already have completed this step, since it's required to enable S
 C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
 F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
 8F020301 0001
 ```
 2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -56,6 +62,7 @@ In this example, we'll use the following settings:
 1. Add your peer's public key
 ```
 foo#conf t
 Enter configuration commands, one per line.  End with CNTL/Z.
 foo(config)#crypto key pubkey-chain rsa
@ -76,9 +83,11 @@ In this example, we'll use the following settings:
 foo(config-pubkey)#quit
 foo(config-pubkey-key)#exit
 foo(config-pubkey-chain)#exit
 ```
 2. Configure an ISAKMP policy
 ```
 foo(config)#crypto isakmp policy 10
 foo(config-isakmp)#encryption aes
 foo(config-isakmp)#hash sha
@ -86,10 +95,13 @@ In this example, we'll use the following settings:
 foo(config-isakmp)#lifetime 28800
 foo(config-isakmp)#authentication rsa-sig
 foo(config-isakmp)#exit
 ```
 3. All done! Configure the phase 2 parameters as you otherwise would.
 ## Full GRE/IPsec example
 ```
 crypto key pubkey-chain rsa
 addressed-key 192.0.2.2
  address 192.0.2.2
@ -129,3 +141,4 @@ In this example, we'll use the following settings:
   description WAN
   ip address 192.0.2.1 255.255.255.0
   duplex full
 ```
--- a/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
+++ b/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
@ -21,17 +21,17 @@ Change the direction on 5.6.7.8.
 ## Load the IPsec security policy into the IPsec security policy database
 Load the policy with the setkey command.
-```
+```sh
 setkey -f /etc/ipsec-tools.conf
 ```
 Afterward check the policy database with:
-```
+```sh
 setkey -DP
 ```
 ## Configure the racoon daemon
 An example /etc/racoon/racoon.conf.
-```
+```conf
 path pre_shared_key "/etc/racoon/psk.txt";
 path certificate    "/etc/racoon/certs";
 log info;
--- a/howto/IPsecWithPublicKeys/OpenBSDExample.md
+++ b/howto/IPsecWithPublicKeys/OpenBSDExample.md
@ -34,14 +34,17 @@ Next, add the right flow parameters to [`/etc/ipsec.conf`](http://man.openbsd.or
 The configuration file should look like this:
 ```conf
 mymachine = "3.4.5.6"
 mypeer    = "1.3.3.7"
 ike esp transport proto gre from $mymachine to $mypeer \
  main auth hmac-sha1 enc aes-128 group modp1536 lifetime 28800 \
  quick auth hmac-sha1 enc aes-128 group modp1536 lifetime 3600
 ```
 Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once the connection is established, the IPSec flows can be listed with `ipsecctl -sa`:
 ```
 # ipsecctl -sa
 FLOWS:
 flow esp in proto gre from 1.3.3.7 to 3.4.5.6 peer 1.3.3.7 srcid 3.4.5.6/32 dstid 1.3.3.7/32 type use
@ -50,16 +53,21 @@ Load the configuration file into isakmpd: `ipsecctl -f /etc/ipsec.conf`. Once th
 SAD:
 esp transport from 1.3.3.7 to 3.4.5.6 spi 0xdeadbeef auth hmac-sha1 enc aes
 esp transport from 3.4.5.6 to 1.3.3.7 spi 0xf00df00d auth hmac-sha1 enc aes
 ```
 # GRE Setup
 Next, we will set up the GRE device. The [gre(4)](http://man.openbsd.org/gre.4) device encapsulates IPv4 and IPv6 traffic, which allows you to speak both address families over one tunnel if you only have native connectivity for one address family. The addresses configured onto the GRE device should come from a private address range that is not used anywhere in DN42, or a registered transfer net. For IPv6, you should use either ULAs or Link-Local addresses. In this example, we assume you are using 10.20.30.0/31 as the IPv4 transfer "net" (it has only two addresses, so calling it a network is a bit of an overstatement) and Link-Local addresses for IPv6.
 ```sh
 # ifconfig gre0 tunnel 3.4.5.6 1.3.3.7
 # ifconfig gre0 inet 10.20.30.0 10.20.30.1 # reverse these on your peer's side
 # ifconfig gre0 inet6 eui64
 ```
 These settings should also be added to [`/etc/hostname.gre0`](http://man.openbsd.org/hostname.if.5), .i.e.
 ```conf
 tunnel 3.4.5.6 1.3.3.7
 inet 10.20.30.0 10.20.30.1
 inet6 eui64
 ```
--- a/howto/IPsecWithPublicKeys/RacoonExample.md
+++ b/howto/IPsecWithPublicKeys/RacoonExample.md
@ -17,7 +17,7 @@ I'd probably go with 4096 bits.
 in your racoon.conf:
-```
+```conf
 path certificate "/etc/racoon/keys";
 listen {
@ -38,6 +38,6 @@ remote 192.168.255.2 {
 }
 ```
-## Se also
+## See also
 [Debian specific configuration](/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian)
--- a/howto/IPsecWithPublicKeys/RouterOSExample.md
+++ b/howto/IPsecWithPublicKeys/RouterOSExample.md
@ -2,6 +2,7 @@
 ## Setup
 ### Generate an RSA keypair
 ```
 [admin@mtk1] > /ip ipsec key
 [admin@mtk1] /ip ipsec key> generate-key mykey key-size=4096
 For key bigger than 1024bit this may take a while..
@ -9,18 +10,22 @@
 Flags: P - private-key, R - rsa
 #    NAME                                                             KEY-SIZE
 0 PR mykey                                                            4096-bit
 ```
 ## Exchange public keys with your peer
 1. Export the public key to a file.
 ```
 [admin@mtk1] /ip ipsec key> export-pub-key mykey file-name=mykey.pub
 [admin@mtk1] /ip ipsec key> /file print where name=mykey.pub
 # NAME                   TYPE                        SIZE CREATION-TIME
 2 mykey.pub              ssh key                      451 jul/20/2014 12:35:33
 ```
 2. Copy the file to your workstation and send it to your peer. The contents of the file should look like this:
 ```
 -----BEGIN PUBLIC KEY-----
 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv4RHohMZP4F5qTJKqoSL
 TqefoZZRt1RVI5dOocjV1pJZnqcXMtHfQ/5+O+igUCAX+yBv0hie+U32FWcy5cQO
@ -30,6 +35,7 @@
 QOvIM7fvs5s0YWaUdT+vz8F0SHtb6Q/IdWc4JJPH/Q2t4HKTkk7FUnvvub2GxVbs
 8QIDAQAB
 -----END PUBLIC KEY-----
 ```
 3. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -50,6 +56,7 @@ In this example, we'll use the following settings:
 1. Copy your peer's PEM-encoded public key to the router and import it. (Hit enter when it asks for a passphrase)
 ```
 [admin@mtk1] /ip ipsec key> import peer-key.pub name=peer-key
 passphrase:
@ -58,9 +65,11 @@ In this example, we'll use the following settings:
 #    NAME                                                             KEY-SIZE
 0 PR mykey                                                            4096-bit
 1  R peer-key                                                         4096-bit
 ```
 2. Configure your peer definition to use the public key
 ```
 [admin@mtk1] /ip ipsec peer> add address=192.0.2.2 local-address=192.0.2.1 enc-algorithm=aes-128 hash-algorithm=sha1 dh-group=modp1536 lifetime=28800 key=mykey remote-key=peer-key auth-method=rsa-key
 [admin@mtk1] /ip ipsec peer> print
 Flags: X - disabled
@ -70,10 +79,12 @@ In this example, we'll use the following settings:
     proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-128
     dh-group=modp1536 lifetime=8h lifebytes=0 dpd-interval=2m
     dpd-maximum-failures=5
 ```
 3. All done! Configure the phase 2 parameters as you otherwise would.
 ## Full GRE/IPsec example
 ```
 # jul/20/2014 13:00:04 by RouterOS 6.15
 # software id = HBCA-0B2J
 #
@ -90,3 +101,4 @@ In this example, we'll use the following settings:
 /ip ipsec policy
 add dst-address=192.0.2.2/32 protocol=gre sa-dst-address=192.0.2.2 \
    sa-src-address=192.0.2.1 src-address=192.0.2.1/32
 ```
--- a/howto/IPsecWithPublicKeys/VyOSExample.md
+++ b/howto/IPsecWithPublicKeys/VyOSExample.md
@ -2,6 +2,7 @@
 ## Setup
 ### Generate an RSA keypair
 ```sh
 ubnt@ubnt:~$ generate vpn rsa-key bits 4096 random /dev/urandom
 Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
@ -9,15 +10,18 @@
 The public portion of the key is:
 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
 ```
 ### Exchange public keys with your peer
 1. Display the public key. Send the key data portion to your peer.
 ```sh
 ubnt@ubnt:~$ show vpn ike rsa-keys
 Local public key (/config/ipsec.d/rsa-keys/localhost.key):
 0sAQPNdF370ZEbN+kZUJQ10qnBlZujrg39ujfk20ILTjELksOIdJw/4jiU1MfpqFDKuB/XxERwJQp2POsFyV/n76jAgxIYBfFYfuaBcIH1rdNQtDhCnkmWzlueRXGEsz0Af79n8TKyQ9otzNhJ2cPE1CWCJbKqbIUN3piviLgGlItWNeya+Tl3Oj3ZfEVwr1QOvUAw32+m4L8T9jf1vqSlOTHpRpxxPWBrLEzstk0FOcZISji2JBpDOCU8Kpyyf74JM+LxsOIHwmS15b6iFZR3U9KZLqbbd0dSy/cM8P4XjrwM5UMyRDjrLqvuA/K/33BgtnxdQR3e9DJoYH3Qr8eRgSkR+jHyq06LvgHkHbMvrEjUnc3n8bg+YfR4oyJpIWsKjfIXmN1Q51KzxAPIAww+YSYUYtamSsQsspVAtMIQqR4e0r1In1qyoSn8VCPlksNMWpqYHbSjDo5HJYoSwxf2epzMtCvhenn0OuiH0xlgzziA+wBi6txksTMvJYcPJYnBVR2NIBjkWftOfmkY+rKMozViGjyd6kB7C8lqd8W7Ha5Ds2WxIY22DM3HcYH/zTp9z2xbuMOsbIgib/Y12Kh0wHyCz0lzFvs+d6CZwinyIXNKB/Vo4iiwT5luL5mGqf3pZx4zB+30GYSs/6MaELRF9BxD7tfqYCkOLXUtxyZ4Pdl2sw==
 ```
 2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -38,12 +42,15 @@ In this example, we'll use the following settings:
 1. Add your peer's public key
 ```sh
 vyos@vyos:~$ configure
 [edit]
 vyos@vyos# set vpn rsa-keys rsa-key-name my-peer rsa-key 0sAwEAAb4ETtKRLxcFNty56regsR61pq7hQl3NnjwABL16wZXGynKxZlj11VbdqcNwaTaqHZLV4Xfy867nImSs0DD9Cko5LzWwyM1Ih4SB+rIjfmBt7nRUrilnYvfWAONG1CLTI2tXnM/miNqiY+PxlCiMPr1KrTJWBWOknqqhhL2dOBfp3Ryx1yRxDACFG4wgpwmndJOnmefnV6qZXWiOdoIsBsBqQKiDY0g2uI+S3KxK27JL3KZWcA2ehhvtxmq4vwcMXplYeedei3EEmWxtddAZCApXor9bkVoVp2io+a0D1ALevYMD5SIygu55Q888n5puYNry/cUjX20/F/YK+J9u2UExWewN4AIt/jMNm7nJNWpuFHfLX1V/igHrdGzoEM0E/i+nGz9CWTVTLoFUmkTjpt31FPmomSVEI7MbNXG7cpa+X55PWd1apheR52XJZPZfCnMf1DjilYbLMRG05RK8zI3QlX3UXHira0dq4OBZ+Aow+dGp+jLmwjgdBDnkQdVu0iP6bp+5/oz6mWvDQ65EVECAIXKR5zIsiKn9ZU18H+lp4xWMjiSw3Y+87Y5KeQPmX73Ygolow6VvtCBvX8CS4Plszn3i0Qp8184eLEWIY314Z8Z+HwBAjUv3MkqI93leokAjMbt23ttaJbWlWgG47BAJOEcWlMFkDNcZtOngUrzF
 ```
 2. Configure an ISAKMP policy
 ```sh
 [edit]
 vyos@vyos# edit vpn ipsec ike-group FOO
 [edit vpn ipsec ike-group FOO]
@ -56,9 +63,11 @@ In this example, we'll use the following settings:
 vyos@vyos# set proposal 1 dh-group 5
 [edit vpn ipsec ike-group FOO]
 vyos@vyos# commit
 ```
 3. Set your peer definition to use the public key
 ```sh
 [edit vpn ipsec ike-group FOO]
 vyos@vyos# up
 [edit vpn ipsec]
@ -67,10 +76,13 @@ In this example, we'll use the following settings:
 vyos@vyos# set authentication mode rsa
 [edit vpn ipsec site-to-site peer 192.0.2.2]
 vyos@vyos# set authentication rsa-key-name my-peer
 ```
 4. All done! Configure the phase 2 parameters as you otherwise would.
 ## Full GRE/IPsec example
 ```conf    
 interfaces {
    ethernet eth0 {
        address 192.0.2.1/30
@ -133,3 +145,4 @@ In this example, we'll use the following settings:
        }
    }
 }
 ```
--- a/howto/IPsecWithPublicKeys/strongSwan4Example.md
+++ b/howto/IPsecWithPublicKeys/strongSwan4Example.md
@ -2,14 +2,17 @@
 ## Setup
 ### Generate an RSA keypair
 ```sh
 root@debian:~# mkdir /etc/ipsec.d/public
 root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
 root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pub
 root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
 ```
 ### Exchange public keys with your peer
 1. Display the public key. Send the key data to your peer.
 ```sh
 root@debian:~# more /etc/ipsec.d/public/mykey.pub
 -----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
@ -25,6 +28,7 @@
 PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
 ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
 -----END PUBLIC KEY-----
 ```
 2. Convert your peer's public key to the Base64 RFC 3110 format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -47,6 +51,7 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
 1. Configure a connection policy in ipsec.conf for your peer. The `leftrsasigkey` attribute is your host's public key in Base64 RFC 3110 format enclosed in double quotes, and `rightrsasigkey` is your peer's key.
 ```sh
 root@debian:~# cat << EOF >> /etc/ipsec.conf
 conn MYPEER
    # peer IPs
@ -60,10 +65,13 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
    leftrsasigkey="0sAwEAAdvxViCblVLX7C6L2rzafpz0rE9pkKDSt2VFMLhCnwY0+5oYo3V0R4dUgLSGlNmnp+fneauntu7zAgmDkC2oJ/QpCmrQaueMxjbw0s0BKc9JiLGgcfcY74bIKgJigk6S7SrjM+nGWx/MvKPf2WfCr/iYbeu0/AQyl3M4DoOSCGl/OFKQq5UoJp0rymCrtz157fdW2euh2g2SYz3/WojDXH77lKlXxVp7FdsyOhxbxv7sJKi2pbJz2gMFXiFpdjr8tic3Y9BkS0mMfO3p3kgaPu7Y5VEUE7nQI9fud0hTpAXAj0p8z2KSAt4QX2fGcPK/9uZqFt8X/E5SyyaoAIedGLVcr8lUr9TCmAXY2XBbBF1HHguSyPSWa8gf0nq6tEfuP/2YkdyxLXrVSjb3KPW3CCR16/PBzNl3mEX0TwAesHpmyBDCmHcCIcGADzwLS/pQx7WQYgQCAKdMtBYWqM0s5TEq8vLWyUdnw/4vP8l6+YrFX4yWXcPFitCwHfGvM75jSBSoIilo6A4CMnDOR60Q/q2NAa/cTjZDXYAey8/8DxMlLIiImaWsDP0uLWl+xMSuFot6XcZDhy59mcmlirHYVz6QpHTH0jidEqglHFc3vsQ/BpSJ1ELD4Gwxr8U+940+iHvsEgPeAoLN5quxUunDaGQAEr+3E/QxvsX0Jo6yQvUl"
    rightrsasigkey="0sAwEAAbkNYV9/gBIi4rOKeY75mCHxIGqvePPBlNp5LkdYGSuPwqYa3HJs7YAA1P05IhOSDjqO8yj6Wq3JfHWcCX1/o/aCBH7yB6lmxfKyJJiQwJ+WUADQ7FSklb7vJ6jWYQLJQZBVMNSJeiia3WRMFeCCy42Zj4zf0yKcz0rbn3ii31K+zqHRZyV3b1hltTsEVUfGD2T/td0tp22qqISWWLpU8xHBGlhYV0Ss5tXcV6rdh9Evd5r+Qk9Cc1VAL9+ZQd/TTKnEcK4ORbMNM+OPJ5Xp0qSA5z/ACD5ubITX/ZGSQpLDhPRnzzM+SmQzqEd61j772qWP2bPkgc/Haz8B62WoRio8Vdk8Ze12JBRFr63vq6YlkonSLJ84sxAUNXmuiJ8HemNvbs5kC4brNTj34ZwiJAFcnCvrLQmTmz5emm6JpP2r2k/hcJ40YEmc5KLZWwNiB4BIxduguGt2VBgcA2fu61NgOwymx0TfOH+tgXDMomaWr1z75OAFEA+fpUSLWxQw3mWLaCHR2/YJjHDR1rBi/GFcRdgPCAL6+0NU0H8JtljwFr42otq25esPGWIkAT1MJBbVAE11O18hnC5owhiRoB2aAKjx3XV9c+x6LBSHfkknO7oAp1DbcEmB6vg3MwVXU2uuWj7++fM8Xis1KiQSspj+B5Lx5RJlxz9qAEOBuj05"
 EOF
 ```
 2. All done! Configure the phase 2 parameters as you otherwise would.
 ## Full GRE/IPsec example
 ```sh
 root@debian:~# ip addr show dev gre1
 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
    link/gre 192.0.2.1 peer 192.0.2.2
@ -102,3 +110,4 @@ _Note: strongSwan < 5.0.0 will read PEM-formatted **private** keys, but requires
    # startup
    auto=route
    keyingtries=%forever
 ```
--- a/howto/IPsecWithPublicKeys/strongSwan5Example.md
+++ b/howto/IPsecWithPublicKeys/strongSwan5Example.md
@ -6,14 +6,17 @@ For IPsec with Public Keys you'll need the package _strongswan-plugin-pubkey_ in
 Don't forget to disable selinux :)
 ### Generate an RSA keypair
 ```sh
 root@debian:~# mkdir /etc/ipsec.d/public
 root@debian:~# ipsec pki --gen --type rsa --outform pem --size 4096 > /etc/ipsec.d/private/mykey.pem
 root@debian:~# ipsec pki --pub --in /etc/ipsec.d/private/mykey.pem --outform pem > /etc/ipsec.d/public/mykey.pem
 root@debian:~# echo ": RSA mykey.pem" >> /etc/ipsec.secrets
 ```
 ### Exchange public keys with your peer
 1. Display the public key. Send the key data to your peer.
 ```sh
 root@debian:~# more /etc/ipsec.d/public/mykey.pem
 -----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2/FWIJuVUtfsLovavNp+
@ -29,6 +32,7 @@ Don't forget to disable selinux :)
 PpCkdMfSOJ0SqCUcVze+xD8GlInUQsPgbDGvxT73jT6Ie+wSA94Cgs3mq7FS6cNo
 ZAASv7cT9DG+xfQmjrJC9SUCAwEAAQ==
 -----END PUBLIC KEY-----
 ```
 2. Convert your peer's public key to the PEM format using the [pubkey-converter][pubkey-converter] script, if necessary.
@ -49,6 +53,7 @@ In this example, we'll use the following settings:
 1. Add your peer's public key
 ```sh
 root@debian:~# cat << EOF > /etc/ipsec.d/public/peerkey.pem
 -----BEGIN PUBLIC KEY-----
 MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAuQ1hX3+AEiLis4p5jvmY
@ -65,9 +70,11 @@ In this example, we'll use the following settings:
 mP4HkvHlEmXHP2oAQ4G6PTkCAwEAAQ==
 -----END PUBLIC KEY-----
 EOF
 ```
 2. Configure a connection policy in ipsec.conf for your peer
 ```sh
 root@debian:~# cat << EOF >> /etc/ipsec.conf
 conn MYPEER
    # peer IPs
@ -81,10 +88,12 @@ In this example, we'll use the following settings:
    leftrsasigkey=/etc/ipsec.d/public/mykey.pem
    rightrsasigkey=/etc/ipsec.d/public/peerkey.pem
 EOF
 ```
 3. All done! Configure the phase 2 parameters as you otherwise would.
 ## Full GRE/IPsec example
 ```sh
 root@debian:~# ip addr show dev gre1
 11: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN
    link/gre 192.0.2.1 peer 192.0.2.2
@ -121,10 +130,13 @@ In this example, we'll use the following settings:
    # startup
    auto=route
    keyingtries=%forever
 ```
 If your peer is using a Cisco router and is behind NAT, then you might need to add the following option:
 ```
 rightid=NATIP
 ```
 # See also
 * [Network settings](/howto/networksettings)
--- a/howto/IPv6-Multicast.md
+++ b/howto/IPv6-Multicast.md
@ -28,7 +28,7 @@ rfc8815 deprecated pim-sm, please take a look at the new multicast page about pi
 * Create a dummy interface to hold your calculated unicast Rendezvous Point address. This one needs to be reachable from within dn42. Also set "multicast on" on this dummy interface. Example:
-    ```
+    ```conf
    # /etc/network/interfaces.d/pim6sd
    auto pim-router-id
    iface pim-router-id inet manual
@ -86,7 +86,7 @@ You can now switch into this test network namespace via "ip netns exec /bin/bash
 ### Creating a test multicast listener
-```
+```sh
 $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::123]:eth0" -
 ```
@ -94,7 +94,7 @@ $ socat -u UDP6-RECV:1234,reuseaddr,ipv6-join-group="[ff7e:230:fdd5:69d5:c530::1
 First select which interface should be the default one for your multicast traffic. Then send multicast packets via ICMPv6:
-```
+```sh
 $ ip -6 route add ff7e:230:fdd5:69d5:c530::/96 dev eth0 table local
 $ ping6 -t 16 ff7e:230:fdd5:69d5:c530::123
 ```
@ -145,18 +145,18 @@ However you can usually just announce and use both RFC3306 and RFC3956 based mul
 #### Bootstrap Router
 If you want to be participate as a bootstrap router candidate, please read up on how PIM works first. If you join with a bootstrap router candidate add it here below with contact information and join #dn42-multicast on HackInt:
-* <BSR-ADDR1> - foo@example.com, foo@HackInt
+* \<BSR-ADDR1> - foo@example.com, foo@HackInt
-* <BSR-ADDR2> - ...
+* \<BSR-ADDR2> - ...
 #### Shared multicast addresses
 Next to personal multicast prefixes generated by network prefix (RFC3306 or RFC3956) there can also be multicast addresses not owned by a specific AS. In general any one can just set up a multicast sender or listener for those. However to work, they need a reliable RP for coordination.
 If you want to offer an RP candidate for a shared multicast address, please read up on how PIM works first. If you join with an RP candidate for a shared multicast address add it here below with contact information and join #dn42-multicast on HackInt:
-* <multicast-address1>/128:
+* \<multicast-address1>/128:
-  - <RP-address1> - foo@example.com, foo@HackInt
+  - \<RP-address1> - foo@example.com, foo@HackInt
-  - <RP-address2> - bar@example.com, bar@HackInt
+  - \<RP-address2> - bar@example.com, bar@HackInt
-* <multicast-address2>/128:
+* \<multicast-address2>/128:
  - ...
 ## Questions?
--- a/howto/IPv6.md
+++ b/howto/IPv6.md
@ -65,7 +65,7 @@ Enter NPT. Address your services using a reserved private block, and map that bl
 For example, if you've been assigned a public /48 prefix, and want to be reachable on DN42 aswell, you can use only ULA addresses from DN42 internally (or your own!), then map them to outside prefixes. Note that they'll need to all use the same prefix size to maintain the one-to-one mapping, so you may have to subnet the public prefix.
 In Linux's netfilter, this can be implemented through the use of the NETMAP target, for the example above:
-```
+```sh
 ip6tables -t nat -A POSTROUTING -d 2000::/3 -s <DN42-PREFIX>:<SUBNET>::/56 -j NETMAP --to <PUBLIC-PREFIX>:<SUBNET>::/56; # Map ULA to the public prefix for outgoing packets
 ip6tables -t nat -A PREROUTING -s 2000::/3 -d <PUBLIC-PREFIX>:<SUBNET>::/56 -j NETMAP --to <DN42-PREFIX>:<SUBNET>::/56; # Map public prefix to ULA for incoming packets
 ```
--- a/howto/OpenBGPD.md
+++ b/howto/OpenBGPD.md
@ -16,7 +16,7 @@ By default, [bgpd(8)](http://man.openbsd.org/bgpd.8) listens on all local addres
 ## local host
 Information such as ASN, router ID and allocated networks are required:
-```
+```conf
 # macros
 ASN="4242421234"
@ -31,7 +31,7 @@ prefix-set mynetworks {
 These can be used in subsequent filter rules.
 The local peer's announcements is then defined as follows:
-```
+```conf
 # Generate routes for the networks our ASN will originate.
 # The communities (read 'tags') are later used to match on what
 # is announced to EBGP neighbors
@ -41,7 +41,7 @@ network prefix-set mynetworks set large-community $ASN:1:1
 ## neighbors
 For each neighbor its ASN and transfer ULA is required.
 An optional description is provided such that [bgpctl(8)](http://man.openbsd.org/bgpctl.8) for example can be used with mnemonic names instead of AS numbers:
-```
+```conf
 # peer A, transport over IPSec/GRE
 $A_local="fd00:12:34:A::1"
 $A_remote="fd00:12:34:A::2"
@ -61,7 +61,7 @@ The filter rules are evaluated in sequential order, form first to last.
 The last matching allow or deny rule decides what action is taken.
 Start off with basic protection and sanity rules:
-```
+```conf
 # deny more-specifics of our own originated prefixes
 deny quick from ebgp prefix-set mynetworks or-longer
@ -72,7 +72,7 @@ deny quick from any max-as-len 8
 `quick` rules are considered the last matching rule, and evaluation of subsequent rules is skipped.
 Allow own announcements:
-```
+```conf
 # Outbound EBGP: only allow self originated networks to ebgp peers
 # Don't leak any routes from upstream or peering sessions. This is done
 # by checking for routes that are tagged with the large-community $ASN:1:1
@ -80,7 +80,7 @@ allow to ebgp prefix-set mynetworks large-community $ASN:1:1
 ```
 Allow all remaining UPDATES based on **O**rigin **V**alidation **S**tates:
-```
+```conf
 # enforce ROA
 allow from ebgp ovs valid
 ```
@ -89,7 +89,7 @@ Note how the `ovs` filter requires the `roa-set {...}` to be defined;  see the `
 ### path attributes
 Besides `allow` and `deny` statements, filter rules can modify UPDATE messages, e.g.
-```
+```conf
 # Scrub normal and large communities relevant to our ASN from EBGP neighbors
 # https://tools.ietf.org/html/rfc7454#section-11
 match from ebgp set { large-community delete $ASN:*:* }
@ -123,7 +123,7 @@ roa-set {
 ```
 Include it in `/etc/bgpd.conf`:
-```
+```conf
 # defines roat-set, see _rpki-client crontab
 include "/etc/dn42.roa-set"
 ```
--- a/howto/OpenWRT.md
+++ b/howto/OpenWRT.md
@ -28,9 +28,11 @@ This is needed so that OpenWRT is aware of the new interfaces (for firewall and
 In `/etc/config/network`, add entries for each dn42 interface:
 ```conf
 config interface dn42peer1
    option ifname tun-peer1
    option proto none
 ```
 ## Firewall
@ -43,28 +45,36 @@ Everything is done in `/etc/config/firewall`.
 ### Zone declaration
 ```conf
 config zone
    option name             dn42
    option network          'dn42peer1 dn42peer2 dn42peer3'
    option input            REJECT
    option output           ACCEPT
    option forward          REJECT
 ```
 If you need to NAT your home network into dn42, you probably just need to add: 
 ```conf
 option masq             1
 ```
 ### dn42 ↔ LAN forwarding
 ```conf
 config forwarding                   
    option src              lan
    option dest             dn42
 ```
 If you're confident enough, you can also forward dn42 into your LAN:
 ```conf
 config forwarding                   
    option src              dn42
    option dest             lan
 ```
 Or you can forward only certain ports, to certain hosts, etc (standard `config rule` stuff)
@ -72,7 +82,9 @@ Or you can forward only certain ports, to certain hosts, etc (standard `config r
 This is more tricky. In theory, all you have to do is to set
 ```conf
 option forward          ACCEPT
 ```
 in the definition of the zone. However, due to a bug in Attitude Adjustment (see <https://dev.openwrt.org/ticket/12945>), this will allow forwarding **everything everywhere**.
--- a/howto/Quagga.md
+++ b/howto/Quagga.md
@ -6,16 +6,20 @@ Quagga is probably one of the oldest software router around.  It still works, of
 Use this in your `zebra.conf`:
 ```conf
 route-map RM_SET_SRC permit 10
    set src 172.22.XX.XX
 ip protocol bgp route-map RM_SET_SRC
 ```
 Unfortunately, this is not possible with IPv6...
 ## Important bgp commands
 To connect to bgpd use:
 ```sh
 $ vtysh
 ```
 Which provides an interactive interface.
 In this interface '?' can be used to list the available commands or subcommands.
@ -23,16 +27,19 @@ In this interface '?' can be used to list the available commands or subcommands.
 ## Configure Quagga
 a minimal config would look like this:
 ```sh
 vtysh> configure terminal
 vtysh(config)> router bgp <your-asn>
 vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
 vtysh(config-router)> neighbor <neighbor-ip> interface <interface>
 vtysh(config-router)> exit
 vtysh(config)> exit
 ```
 ### IPv6
 for IPv6 do something like
 ```sh
 vtysh> configure terminal
 vtysh(config)> router bgp <your-asn>
 vtysh(config-router)> neighbor <neighbor-ip> remote-as <neighbor-asn>
@ -43,24 +50,32 @@ for IPv6 do something like
 vtysh(config-router-af)> exit
 vtysh(config-router)> exit
 vtysh(config)> exit
 ```
 ### peer groups, prefix lists and such
 If you want to use 'prefix-list' to filter some of the prefixes quagga is receiving, you can use a 'peer-group' instead of apply the prefix list to every neighbor. 
 Define a peer group:
 ```sh
 vtysh(config-router)> neighbor <peer-group-name> peer-group
 ```
 Apply to a neighbor:
 ```sh
 vtysh(config-router)> neighbor <neighbor-ip> peer-group <name>
 ```
 Apply a prefix list for incoming prefixes to your peer group:
 ```sh
 vtysh(config-router)> neighbor <peer-group-name> prefix-list <prefix-list-name> in
 ```
 #### Example filter list
 ```sh
 ip prefix-list vpn-in description BGP IPv4 import filter
 !old network:
 ip prefix-list vpn-in seq 5 permit 172.22.0.0/15 ge 22 le 28
@ -96,9 +111,10 @@ Apply a prefix list for incoming prefixes to your peer group:
 ipv6 prefix-list vpn-in seq 10 permit fd00::/8 ge 9
 ipv6 prefix-list vpn-in seq 15 deny any
 ```
 #### Example filter list script
-```
+```sh
 #!/bin/bash
 vtysh -c 'conf t' -c "no ip prefix-list dn42"; #drop old prefix list
--- a/howto/ROA-slash-RPKI.md
+++ b/howto/ROA-slash-RPKI.md
@ -32,11 +32,12 @@ You can find a hosted example of dn42regsrv at <https://explorer.burble.com/>
 Instructions on how to host dn42regsrv yourself can be found on the git repo of [dn42regsrv](https://git.burble.com/burble.dn42/dn42regsrv). 
 You can also run dn42regsrv via docker (then available at 127.0.0.1:8042):
-
+```sh
 git checkout https://git.burble.com/burble.dn42/dn42regsrv.git .
 cd contrib/docker
 ./build.sh
 docker-compose up -d
 ```
 Documentation for the api endpoints can be found here: <https://git.burble.com/burble.dn42/dn42regsrv/src/master/API.md>
@ -48,7 +49,9 @@ burble kindly provides ready-to-use files for gortr here:
 You can use these to simply run gortr via docker:
 ```sh
 docker run -ti -p 8082:8082 cloudflare/gortr -cache https://dn42.burble.com/roa/dn42_roa_46.json -verify=false -checktime=false -bind :8082
 ```
 ### rtrtr
@ -56,10 +59,13 @@ rtrtr is a RTR server from NLNet Labs. It's compatible with the dn42regsrv ROA-J
 NLNet Labs provides an official docker image. You just have to bind mount a suitable configuration file:
 ```sh
 docker run -d -v /etc/rtrtr.conf:/etc/rtrtr.conf -p 323:323/tcp nlnetlabs/rtrtr -c /etc/rtrtr.conf
 ```
 This is a working configuration file for dn42. Maybe change the listen addresses:
 ```conf
 log_level = "debug"
 log_target = "stderr"
 http-listen = []
@ -71,6 +77,7 @@ This is a working configuration file for dn42. Maybe change the listen addresses
 type = "rtr"
 listen = ["0.0.0.0:323", "[::]:323"]
 unit = "dn42-json"
 ```
 For more information cosult the official documentation: <https://rtrtr.docs.nlnetlabs.nl/en/stable/>
--- a/howto/Registry-Authentication.md
+++ b/howto/Registry-Authentication.md
@ -50,7 +50,7 @@ There are three options for doing this. but you only need to do **one** of these
 ### `auth` attribute format, when your public key is in gitea or a public keyserver
 - Use the following `auth` attribute in your `mntner` object:
-```
+```conf
 auth:               pgp-fingerprint <fingerprint>
 ```
 Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
@ -62,7 +62,7 @@ Where `<fingerprint>` is your **full 40-digit** key fingerprint, without spaces.
 *Tip: look at the existing key-cert objects for examples of how to add your public key*
 - In this case the `auth` attribute must refer to the new key-cert object so use the following in your `mntner` object:
-```
+```conf
 auth:               PGPKEY-<short fingerprint>
 ```
 Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
@ -76,7 +76,7 @@ Where `<short fingerprint>` is the last **8** digits from your key fingerprint.
 - Use `git commit -S` to commit and sign your change.
 - If you have already committed your change without signing it, you can sign the existing commit using:
-```
+```sh
 git commit --amend --no-edit -S
 ```
 If you had already pushed your change to gitea, you must also do a force push (`git push --force`) to update the remote copy.
@ -105,17 +105,17 @@ If you cannot get the above to work you may also:
 ### `auth` attribute format when using an ssh key
 The generic format for authentication using an SSH key is as follows:
-```
+```conf
 auth:               ssh-<keytype> <pubkey>
 ```
 Common examples:
-```
+```conf
 auth:               ssh-ed25519 <pubkey>
 ```
-```
+```conf
 auth:               ssh-rsa <pubkey>
 ```
@ -131,13 +131,13 @@ Brief instructions are below, however there are also more detailed guides availa
 - Set your git signature format to be SSH
-```
+```sh
 git config --global gpg.format ssh
 ```
 - Tell git which SSH key to use
-```
+```sh
 git config --global user.signingKey '<ssh public key>'
 ```
@ -167,13 +167,13 @@ The registry includes a script that uses ssh-keygen signatures to sign your chan
 #### How to sign
-```
+```sh
 ./sign-my-commit --ssh --key <path to your SSH private key> --push <MNTNER>
 ```
 e.g.
-```
+```sh
 ./sign-my-commit --ssh --key /home/foo/.ssh/id_ed25519 --push FOO-MNT
 ```
@ -181,7 +181,7 @@ e.g.
 The script can also verify your signature:
-```
+```sh
 ./sign-my-commit --ssh --verify <MNTNER>
 ```
@ -231,7 +231,7 @@ Please try and upgrade your ssh-keygen version and use the generic ssh-keygen me
 ### Authentication with an SSH RSA key
 - Use the following `auth` attribute in your `mntner` object:
-```
+```conf
 auth:               ssh-rsa <pubkey>
 ```
 Where `<pubkey>` is the ssh public key copied from your id_rsa.pub file. 
@ -269,7 +269,7 @@ openssl pkeyutl \
 ### Authentication with an SSH ecdsa key
 - Use the following `auth` attribute in your `mntner` object:
-```
+```conf
 auth:               ecdsa-sha2-nistp256 <pubkey>
 ```
 Where `<pubkey>` is the ssh public key copied from your id_ecdsa.pub file. 
--- a/howto/Static-routes-on-Windows.md
+++ b/howto/Static-routes-on-Windows.md
@ -1,6 +1,6 @@
 Modern versions of Windows do not support OSPF and manually adding static routes every time after a reboot is annoying. Below is a batch script you can edit and run to help make adding routes easier. This script assumes that your BGP router and Windows computer are on the same LAN.
-```
+```sh
@echo off
 REM fill in YOUR network information
 REM right click and RUN AS ADMIN
--- a/howto/lglass.md
+++ b/howto/lglass.md
@ -1,6 +1,8 @@
 lglass is a Python software package designed for Internet Registries like the DN42. You can generate zone files for DNS and rDNS IPv4/v6, and handle the registry. It is available on GitHub as free software:
 ```sh
 $ git clone git://github.com/fritz0705/lglass.git
 ```
 ## Links
 - [Fritz Gihub repo](https://github.com/fritz0705/lglass)
@ -10,13 +12,17 @@ lglass is a Python software package designed for Internet Registries like the DN
 lglass provides an event-based whois daemon with internal caching, which was written in Python. It is very simple to run an instance:
 ```sh
 $ ./bin/lglass-whoisd
 ```
 without the configfile:
 ```sh
 $ ./bin/lglass-regtool whoisd -H $HOST -p $PORT
-.
+```
 ```
 usage: lglass-whoisd [-h] [-4] [-6] [--host HOST] [--port PORT]
                     [--cidr] [--no-cidr] [--inverse] [--no-inverse]
@ -30,7 +36,7 @@ without the configfile:
    --no-cidr             Do not perform CIDR matching on queries
    --inverse, -i         Perform inverse matching on queries
    --no-inverse          Do not perform inverse matching on queries
-
+```
 ## Generate zone files
@ -38,32 +44,42 @@ lglass also provides a script to generate zone files from the registry. It's nam
 To generate DNS zones:
 ```sh
 $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com dns -z dn42
 ```
 To generate IPv4 rDNS zones:
 ```sh
 $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns4 -N 172.22.0.0/16
 ```
 To generate IPv6 rDNS zones:
-
+```sh
 $ ./bin/lglass-zonegen -d $PATH_TO_DATA_DIR -n ns1... -n ns2... -e foo.bar.com rdns6 -N fd00::/8
 ```
 ## Reformat RPSL files
 You can also reformat RPSL files using lglass by using the lglass.rpsl module:
 ```sh
 $ ./bin/lglass-rpsl < $DATA/inetnum/172.22.0.53_32
 ```
 lglass.rpsl also supports in-place operation:
 ```sh
 $ ./bin/lglass-rpsl -i $DATA/inetnum/172.22.0.53_32
 ```
 This opens the file, reads the content into memory, seeks to position 0, writes the formatted object and truncates the file.
 Simple web interface
 lglass also comes with a simple web interface written in Python3 using Bottle and Jinja2. It also provides a binary to run it using wsgiref:
-
+```sh
 $ ./bin/lglass-web
 ```
 Furthermore you can use any WSGI server like Gunicorn by using lglass.web.application:app as WSGI callback. You can provide a path to the configuration file in the environment variable `LGLASS_WEB_CFG`.
--- a/howto/networksettings.md
+++ b/howto/networksettings.md
@ -13,22 +13,22 @@ That is why `rp_filter` needs to be disabled.
 **Note** using sysctl is not persistent. Depending on your linux distribution put it into `/etc/sysctl.conf` or `/etc/sysctl.d`
-```
+```sh
 sysctl -w net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0
 ```
 Check that its really disabled:
-```
+```sh
 sysctl -a | grep rp_filter
 ```
 Also the following options must be set.
-```
+```sh
 $ sysctl -w net.ipv4.conf.all.forwarding=1 net.ipv6.conf.all.forwarding=1
 ```
 Check that ALL your vpn interfaces allow ip forwarding for ipv6/ipv4.
-```
+```sh
 $ sysctl -a | grep forwarding
 ```
--- a/howto/nixos.md
+++ b/howto/nixos.md
@ -176,8 +176,7 @@ Like ferm, Bird2 is configured by ```services.bird2.config``` containing a strin
 Sample example to update ROA's : 
 ```nix
 { pkgs, lib, ... }:
-let
+let script = pkgs.writeShellScriptBin "update-roa" ''
  script = pkgs.writeShellScriptBin "update-roa" ''
    mkdir -p /etc/bird/
    ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42_v6.conf https://dn42.burble.com/roa/dn42_roa_bird2_6.conf
    ${pkgs.curl}/bin/curl -sfSLR {-o,-z}/etc/bird/roa_dn42.conf https://dn42.burble.com/roa/dn42_roa_bird2_4.conf
--- a/howto/openvpn.md
+++ b/howto/openvpn.md
@ -10,7 +10,7 @@
 * Replace `<REMOTE_GATEWAY_IP>` with dn42 ip address of your peer
 * `<LOCAL_GATEWAY_IPV6> <REMOTE_GATEWAY_IPV6>` same as ipv4, but both ip addresses needs to be in the same subnet. For simplicity you can always use an address from link-local ipv6 range (fe80::/64)
-```
+```conf
 #/etc/openvpn/<PEER_NAME>
 proto       <PROTO>
 mode        p2p
@ -39,7 +39,7 @@ secret /etc/openvpn/<PEER_NAME>.key
 then create a new key and share it with your peer
-```
+```sh
 $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
 ```
@ -47,7 +47,7 @@ $ openvpn --genkey --secret /etc/openvpn/<PEER_NAME>.key
 ## peer with fixed ip
-```
+```conf
 proto       <PROTO>
 mode        p2p
 dev-type    tun
@ -72,7 +72,7 @@ secret /etc/openvpn/<PEER_NAME>.key
 * `<REMOTE_HOST>` is the ip address of your peer
 * `<REMOTE_PORT>` is openvpn port, where your peer listen for traffic
-```
+```conf
 proto       <PROTO>
 mode        p2p
 remote      <REMOTE_HOST>
@ -99,7 +99,7 @@ Clients connect using certificates, and simply get attributed dn42 IPs in the or
 Replace `<PORT>` with the UDP port you want OpenVPN to listen to, and change the IP ranges (`ifconfig` and `route-gateway` options).
-```
+```conf
 mode server
 tls-server
@ -152,7 +152,7 @@ push "route 172.22.0.0 255.254.0.0"
 Change `<SERVER>` and `<PORT>`.
-```
+```conf
 client
 ca   ca.crt
--- a/howto/systemd-networkd-configuration-example.md
+++ b/howto/systemd-networkd-configuration-example.md
@ -5,7 +5,7 @@ This is the config that is used on ZOTAN Networks (AS4242422341). Full network c
 # Configuration
 ## loopback device (lo.network)
-```
+```conf
 [Match]
 Name=lo
@ -14,7 +14,7 @@ Address=fdff:b02d:2ef7::2/128
 ```
 ## wireguard netdev (dn42p1.netdev)
-```
+```conf
 [NetDev]
 Name = dn42p1
 Kind = wireguard
@ -31,7 +31,7 @@ AllowedIPs = 172.16.0.0/12,10.0.0.0/8,fd00::/8,fe80::/10,ff00::/8
 ```
 ## wireguard network (dn42p1.network)
-```
+```conf
 [Match]
 Name = dn42p1
--- a/howto/tinc.md
+++ b/howto/tinc.md
@ -10,7 +10,7 @@ One advantage of tinc is that you can have multiple peering over the same VPN co
 Example `/etc/tinc/dn42_yourpeer/tinc.conf`:
-```
+```conf
 Interface = dn42_yourpeer
 Name = your_host
 # Only switch mode is feasible for dn42 peerings, since in router mode tinc takes care of routing decisions on its own
@ -26,7 +26,7 @@ Tinc requires to add manually ip addresses and routes to the tap/tun interfaces.
 Example `/etc/tinc/dn42_yourpeer/tinc-up`:
 **Linux/iproute2**
-```
+```sh
 #!/bin/sh
 # set the interface up
@ -44,13 +44,13 @@ For authentication tinc uses public key authentication instead of certificates o
 For each key tinc should connect to or allow to connect, a file with the name of the peer in tincd -n twwh -K
 is required. To generate a public/private key pair use:
-```
+```sh
 $ tincd -K
 ```
 Import for each other party the key like this `/etc/tinc/dn42_yourpeer/hosts/<peername>`:
-```
+```conf
 # address/port are optional, in case they're missing you only expect connections from that host
 Address = <fqdn/ip_addr>
 Port = <port|655>
@ -74,19 +74,19 @@ Installation:
 * Freebsd: Use this [port repo](https://github.com/Mic92/ports/tree/master/security/tinc)
 Set up a new tinc network
-```
+```sh
 # tinc -n dn42_yourpeer init dn42_yourself
 ```
 Invite your peering partner. Tinc will print the invitaion which you need to copy to your peering partner.
-```
+```sh
 $ tinc invite yourpeer
 <ip-or-address>/nIRp5pJCnfnhuV13JUomscGs1q5HqEbz3AydZer7wRaMcpUB
 ```
 On the other node you can join by using:
-```
+```sh
 $ tinc join <invitation-url>
 ```
--- a/howto/wireguard.md
+++ b/howto/wireguard.md
@ -9,13 +9,13 @@ to allow your BGP daemon instead to do routing. This approach is comparable to [
 First generate on each peer public and private keys.
-```
+```sh
 $ wg genkey | tee privatekey | wg pubkey > publickey
 ```
 ## Configuration
-```
+```conf
 # tunnel.conf
 [Interface]
 PrivateKey = <private_key>
@ -38,7 +38,7 @@ AllowedIPs = 0.0.0.0/0,::/0
 Wireguard comes with its own interface type. 
 It supports link-local addresses for IPv6 and single /32 addresses for IPv4, which can be used for peering.
-```
+```sh
 $ ip link add dev <interface_name> type wireguard
 $ wg setconf <interface_name> tunnel.conf
 # both side pick a different link-local ipv6 address
@ -54,7 +54,7 @@ Maybe you should check the MTU to your peer with e.g. `ping -s 1472 <end_point_h
 ## Testing
-```
+```sh
 ping fe80::<your_peers_suffix>%<interface_name>
 ```
@ -94,7 +94,7 @@ The script makes some changes that are not valid when used for DN42 tunnels, and
 An example wg-quick script that incorporates the above two workarounds is below, where `<MyIPv[46]>` are the DN42 IP addresses of your node and `<PeerIPv[46]>` are the IP addresses for your peer. 
-```
+```conf
 [Interface]
 PrivateKey = <your private key>
 Address = <your link-local address, if any>
@ -114,7 +114,7 @@ Use `which ip` to get the full path to your ip binary.
 Example configuration for systemd-networkd.
 peer.netdev
-```text
+```conf
 [NetDev]
 Name=<ifname>
 Kind=wireguard
@ -134,7 +134,7 @@ AllowedIPs=0.0.0.0/0
 ```
 peer.network
-```text
+```conf
 [Match]
 Name=<ifname>
@ -172,6 +172,6 @@ Peer=<your peer's IPv4 address>/32
 As wireguard are only resolving the hostname to IP only on start, dynamics DNS will stop working after a while without further configuration. The Following is a [script](https://github.com/WireGuard/wireguard-tools/blob/master/contrib/reresolve-dns/reresolve-dns.sh) from wireguard which will "re-resolve" the DNS and update the wireguard. 
 You can add cron entries to periodically  "re-resolve" the DNS:
-```
+```sh
 * * * * * /path-to-the-script/reresolve-dns.sh
 ```
--- a/internal/Internal-Services.md
+++ b/internal/Internal-Services.md
@ -186,9 +186,9 @@ Providers of shell access:
 | Person        | Hostname                               | Net              | Description | Contact       |
 |:------------- |:-------------------------------------- |:---------------- |:---------------- |:------------- |
-| mc36          | telnet test.nop.dn42                   | dn42 only        |looking glass     | -             |
+| mc36          | `telnet test.nop.dn42`                   | dn42 only        |looking glass     | -             |
-| JerryXiao     | ssh lg@lg.jerry.dn42                   | dn42 and icvpn   |looking glass     | -             |
+| JerryXiao     | `ssh lg@lg.jerry.dn42`                   | dn42 and icvpn   |looking glass     | -             |
-| burble        | ssh <mntner>@shell.fr-rbx1.burble.dn42 <br/> ssh <mntner>@shell.ca-bhs2.burble.dn42 | dn42             |Full shell account| See below |
+| burble        | `ssh <mntner>@shell.fr-rbx1.burble.dn42` <br/> `ssh <mntner>@shell.ca-bhs2.burble.dn42` | dn42             | Full shell account | See below |
 ### burble.dn42 shell access
--- a/services/Automatic-CA.md
+++ b/services/Automatic-CA.md
@ -55,7 +55,9 @@ Server certificates are signed for 45 days. To renew follow the steps above star
 get the script here: 
 ```sh
 curl https://ca.dn42/ca.dn42 > ca.dn42; chmod +x ca.dn42
 ```
 available via git: anon@git.dn42:dn42/ca-client
@ -106,7 +108,7 @@ Environtment Options:
 Generate the user key
-```
+```sh
 $ ./ca.dn42 user-gen XUU-MNT xuu@sour.is
 Generating a 2048 bit RSA private key
 ...............................+++
@ -121,7 +123,7 @@ writing new private key to 'XUU-MNT.key'
 ### Sign the user key
-```
+```sh
 $ ./ca.dn42 user-sign XUU-MNT xuu@sour.is
 == USER CERT ==
   C:XD
@ -138,7 +140,7 @@ Verifying - Enter Export Password:
 ### Generate the server key
-```
+```sh
 $ ./ca.dn42 tls-gen ca.dn42 XUU-MNT xuu@sour.is DNS:ca.dn42
 Generating a 2048 bit RSA private key
@ -162,7 +164,7 @@ $ dig +short TXT _dn42_tlsverify.ca.dn42.
 ### Sign the server key
-```
+```sh
 $ ./ca.dn42 tls-sign ca.dn42 XUU-MNT
 == USER CERT ==
   C:XD 
@ -190,13 +192,13 @@ Verifying - Enter Export Password: ****
 The generated certificate will be valid for 3 months, to renew it simply run ```./ca.dn42 tls-sign ca.dn42 XUU-MNT``` again. This could be also automated in cron:
-```
+```sh
 0 0 1 * * /etc/ssl/dn42/ca.dn42 tls-sign wiki.dn42 MIC92-MNT
 ```
 or with a systemd timer:
-```
+```conf
 # update-dn42-ca.timer
 [Timer]
 OnBootSec=1h
@ -207,7 +209,7 @@ Persistent=yes
 WantedBy=timers.target
 ```
-```
+```conf
 [Service]
 Type=oneshot
 WorkingDirectory=/etc/ssl/dn42
@ -219,7 +221,7 @@ ExecStart=/usr/bin/nginx -s reload
 ### Revoke a certificate.
-```
+```sh
 $ ./ca.dn42 revoke XUU-MNT XUU-MNT.crt 
 == USER CERT ==
   C:XD 
--- a/services/Certificate-Authority.md
+++ b/services/Certificate-Authority.md
@ -101,11 +101,11 @@ C0IKqQ==
 ## Testing constraints
 The name constraints can be verified for example by using openssl:
-```
+```sh
 openssl x509 -in dn42.crt -text -noout
 ```
 which will show among other things:
-```
+```text
    X509v3 Name Constraints: 
      Permitted:
        DNS:.dn42
--- a/services/DNS.md
+++ b/services/DNS.md
@ -24,7 +24,7 @@ service and configure the other service as the secondary or backup nameserver.
 Example resolv.conf, preferring a0.recursive-servers.dn42 and IPv4:
-```text
+```conf
 nameserver 172.20.0.53
 nameserver 172.23.0.53
 nameserver fd42:d42:d42:54::1
@ -34,7 +34,7 @@ search dn42
 Example resolv.conf, preferring a3.recursive-servers.dn42 and IPv6:
-```text
+```conf
 nameserver fd42:d42:d42:53::1
 nameserver fd42:d42:d42:54::1
 nameserver 172.23.0.53
--- a/services/Distributed-Wiki.md
+++ b/services/Distributed-Wiki.md
@ -84,7 +84,7 @@ RACK_ENV=production gollum --css --host 127.0.0.1  --port 4567 --no-edit <path>
 - Generate a [CSR](/services/Certificate-Authority) and send DNS Key Pin to [xuu@sour.is](mailto:xuu@sour.is): 
 - \<AS> is the as number with the prefix `as` like `as64737-ca.wiki.dn42`
-```
+```sh
 ./ca.dn42 tls-gen \
   <AS>-<CC>(-<UID>).wiki.dn42 \
   EXAMPLE-MNT \
@ -109,13 +109,13 @@ A custom header `X-SiteID` identifies the site you're connecting to:
  - Extract base64 encoded SPKI fingerprint from private key `wiki.key`:
-    ```
+    ```sh
 openssl rsa -in wiki.key -outform der -pubout | openssl dgst -sha256 -binary | openssl enc -base64
    ```
  - Configure Nginx to send the fingerprint in header (SSL block):
-    ```
+    ```conf
 add_header Public-Key-Pins  pin-sha256="<primary>"; pin-sha256="<backup>"; max-age=5184000; includeSubDomains';
    ```
@ -137,7 +137,7 @@ Nginx should listen on a unicast address as well, so your site can be reached ex
 #### Config example
-```
+```conf
 ssl_protocols  TLSv1.2 TLSv1.1 TLSv1;
 ssl_session_cache shared:SSL:2m;
@ -196,7 +196,7 @@ The prefix AS-PATH should show the announcement is originating from your AS. Aft
 #### Configuration
-```
+```conf
 # exabgp.conf
 group gollum-watchdog {
--- a/services/IRC.md
+++ b/services/IRC.md
@ -3,7 +3,6 @@
 We have an IRC Chatroom on the [hackint-Network](http://www.hackint.org). It is reachable from within DN42, ChaosVPN and the public internet. A connection is only possible via TLS on port 6697.
 | Network | Hostname                                 |  SSL        | IPv4                       | IPv6         |
 |:--------|:------------------------------------------|:------ |:-------------------------- |:------------ |
 | DN42 | [irc.hackint.dn42](ircs://irc.hackint.dn42:6697) |  Yes    | 172.20.66.67 |  fd42:d42:d42:6667::1 |
--- a/services/IXP-frnte.md
+++ b/services/IXP-frnte.md
@ -48,15 +48,19 @@ A Ruby script to calculate the IPv6 can be found on [ixp\_frnte\_dn42\_prefix.rb
 An example configuration for Debian based Linux distributions would be:  
 ```sh
 iface ensXX inet6 static
    address fde0:93fa:7a0:2:0:fcde:3558:1/64
 ```
 Here `ensXX` is the dn42 VLAN interface. This can be determined by comparing the MAC address of the interface with the MAC address of the dn42 VLAN in Proxmox. The MAC address can be determined on Linux with `ip l`:
 ```sh
 ensXX: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu
    1500 qdisc pfifo_fast state UP mode DEFAULT group
    default qlen 1000
    link/ether MAC brd ff:ff:ff:ff:ff:ff
 ```
 `MAC` would be the MAC address. After that you can activate the interface with ifup or a reboot of the VM.  
 Of course there are other configuration possibilities. This is only an example for Debian-based Linux distributions.
@ -71,6 +75,7 @@ You can now enter this configuration into your routing daemon and it will connec
 An example configuration for bird2 would be the following:
 ```conf
 protocol bgp ixp_rs from dnpeers {
    neighbor fde0:93fa:7a0:2:0:fcde:3559:1 as 4242421081;
@ -82,6 +87,7 @@ An example configuration for bird2 would be the following:
    	extended next hop;
    };
 }
 ```
 **What does this configuration do?**
@ -107,8 +113,8 @@ Furthermore, you can display different routes (in case of bird with `birdc show
 One can also try to ping the IP of some at the IXP. From the latency you can also see if everything is working:  
 *   Burble's pingable
-    *   172.20.129.5
+    *   `172.20.129.5`
-    *   fd42:4242:2601:ac05::1
+    *   `fd42:4242:2601:ac05::1`
 *   Bandura's pingable:
-    *   172.22.149.224
+    *   `172.22.149.224`
-    *   fd04:234e:fc31::
+    *   `fd04:234e:fc31::`
--- a/services/Route-Collector.md
+++ b/services/Route-Collector.md
@ -25,7 +25,7 @@ The collector uses the dynamic peering capability in Bird2 to allow anyone to pe
 Example bird2 config:
-```text
+```conf
 protocol bgp ROUTE_COLLECTOR
 {
  local as ***YOUR_ASN***;
--- a/services/Statistics.md
+++ b/services/Statistics.md
@ -11,7 +11,7 @@ Channel statistics for #dn42@hackint are available at: <https://dev.0l.dn42/stat
 #### collectd.conf
-```
+```conf
 LoadPlugin exec
 <Plugin exec>
   Exec nobody "/etc/collectd/bgp_prefixes-quagga.sh"
--- a/services/Whois.md
+++ b/services/Whois.md
@ -66,8 +66,10 @@ Mirrors are hosted at `asn.grmml.dn42` and `asn.lorkep.dn42`.
 Example:
 ```sh
 $ dig +short AS4242420000.asn.dn42 TXT
 "4242420000 | DN42 | dn42 |  | PYROPETER-AS PyroPeters AS"
 ```
 The Python code for generating the zone from the registry is available on the monotone repository.
--- a/services/dns/Configuration.md
+++ b/services/dns/Configuration.md
@ -27,7 +27,7 @@ DN42 is [interconnected](/internal/Interconnections) with the Inter City VPN or
 If you already run a local DNS server, you can tell it to query the dn42 anycast servers for the relevant domains
 by adding the following to /etc/bind/named.conf.local
-```
+```conf
 zone "dn42" {
  type forward;
  forwarders { 172.20.0.53; fd42:d42:d42:54::1; };
@ -71,7 +71,7 @@ options {
 **Note**: With DNSSEC enabled, bind might refuse to accept query results from the dn42 zone: `validating dn42/SOA: got insecure response; parent indicates it should be secure`.
 To disable DNSSEC validation only for certain TLDs include the following in the options section:
-```
+```conf
 options {
  # [...]
@ -93,7 +93,7 @@ options {
 If you are running dnsmasq under openwrt, you just have to add 
-```
+```conf
 config dnsmasq
        option boguspriv '0'
        option rebind_protection '1'
@ -115,7 +115,7 @@ Attention: If you go with the default config you'll have to disable "boguspriv"
 For normal dnsmasq use
-```
+```conf
 server=/dn42/172.20.0.53
 server=/20.172.in-addr.arpa/172.20.0.53
 server=/21.172.in-addr.arpa/172.20.0.53
@ -129,7 +129,7 @@ in `dnsmasq.conf`.
 ## PowerDNS recursor
 Add this to /etc/powerdns/recursor.conf (at least in Debian and CentOS).
-```
+```conf
 dont-query=127.0.0.0/8, 192.168.0.0/16, ::1/128, fe80::/10
 forward-zones-recurse=dn42=172.20.0.53
 forward-zones-recurse+=20.172.in-addr.arpa=172.20.0.53
@ -143,7 +143,7 @@ forward-zones-recurse+=d.f.ip6.arpa=172.20.0.53
 ## MaraDNS
 Put this in your mararc:
-```
+```conf
 ipv4_alias["dn42_root"] = "172.20.0.53"
 root_servers["dn42."] = "dn42_root"
 root_servers["20.172.in-addr.arpa."] = "dn42_root"
@ -158,7 +158,7 @@ root_servers["10.in-addr.arpa."] = "dn42_root"
 Make sure to disable `auto-trust-anchor-file` and manually configure `trust-anchor-file` to 
 point to a file with DNSKEY records for dn42.
-```
+```conf
 server:
      local-zone: "20.172.in-addr.arpa." nodefault
      local-zone: "21.172.in-addr.arpa." nodefault
@ -205,11 +205,11 @@ forward-zone:
 ## JunOS (SRX 12.1X46)
 Should also work in 12.1X44 and 12.1X45. After making the changes below you may need to run:
-```
+```sh
 restart named-service
 ```
 Config (vlan.0 is presumed to be your LAN/Trust interface)
-```
+```conf
 system {
   services {
      dns {
@ -289,17 +289,17 @@ All delegation servers have DNSSEC support and all record are signed, for more i
 Following is a list of links to the DS record for TLD and reverse zone, to configure the key file, extract the value of ds-rdata and format it as follows, you must add all ds-rdata to the key file for dnssec to work. P.S. each ds-rdata or DS record should contain 4 numbers.
 This is an example for dn42. and (fake) ds-rdata of 1 2 3 456
-```
+```conf
 dn42.	86400	IN	DS	1 2 3 456
 ```
 This is an example for 172.20.0.0/16 and (fake) ds-rdata of 1 2 3 456
-```
+```conf
 20.172.in-addr.arpa.	86400	IN	DS	1 2 3 456
 ```
 This is an example for fd00::/8 and (fake) ds-rdata of 1 2 3 456
-```
+```conf
 d.f.ip6.arpa.	86400	IN	DS	1 2 3 456
 ```
@ -323,7 +323,7 @@ d.f.ip6.arpa.	86400	IN	DS	1 2 3 456
 ## Unbound
-```
+```conf
 trust-anchor-file: <path to key file>
 server:
--- a/services/dns/Recursive-DNS-resolver.md
+++ b/services/dns/Recursive-DNS-resolver.md
@ -8,7 +8,7 @@ You may use some servers listed in the [table of anycast servers](/services/dns/
 Configuration for `unbound.conf`
-```
+```conf
 server:
        local-zone: "22.172.in-addr.arpa." nodefault
        local-zone: "23.172.in-addr.arpa." nodefault
@ -35,7 +35,7 @@ stub-zone:
 ### Unbound with root-hints
 Alternatively you can put dn42 root servers in the root-hints file for recursive resolving.
-```
+```conf
 # /etc/unbound/unbound.conf.d/dn42.conf 
 server:
        # DNSSEC validation will fail
@ -55,7 +55,7 @@ remote-control:
 ```
 The `/etc/unbound/dn42.hints` file:
-```
+```conf
 .                                         NS    a.root-servers.dn42.
 a.root-servers.dn42.           3600000    A     172.22.177.6
 .                                         NS    m.root-servers.dn42.