--- a/hosts_access.5
+++ b/hosts_access.5
@@ -109,9 +109,9 @@ network address will be unavailable when
 what type of network it is talking to.
 .IP PARANOID
 Matches any host whose name does not match its address.  When tcpd is
-built with -DPARANOID (default mode), it drops requests from such
+built with \-DPARANOID (default mode), it drops requests from such
 clients even before looking at the access control tables.  Build
-without -DPARANOID when you want more control over such requests.
+without \-DPARANOID when you want more control over such requests.
 .ne 6
 .SH OPERATORS
 .IP EXCEPT
@@ -174,7 +174,9 @@ Patterns like these can be used when the
 addresses with different internet hostnames.  Service providers can use
 this facility to offer FTP, GOPHER or WWW archives with internet names
 that may even belong to different organizations. See also the `twist\'
-option in the hosts_options(5) document. Some systems (Solaris,
+option in the
+.BR hosts_options (5)
+document. Some systems (Solaris,
 FreeBSD) can have more than one internet address on one physical
 interface; with other systems you may have to resort to SLIP or PPP
 pseudo interfaces that live in a dedicated network address space.
@@ -203,7 +205,7 @@ same wildcards apply (netgroup membershi
 should not get carried away with username lookups, though.
 .IP \(bu
 The client username information cannot be trusted when it is needed
-most, i.e. when the client system has been compromised.  In general,
+most, i.e., when the client system has been compromised.  In general,
 ALL and (UN)KNOWN are the only user name patterns that make sense.
 .IP \(bu
 Username lookups are possible only with TCP-based services, and only
@@ -321,9 +323,8 @@ in.tftpd: LOCAL, .my.domain
 .ne 2
 /etc/hosts.deny:
 .in +3
-.nf
-in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
-	/usr/bin/mail -s %d-%h root) &
+in.tftpd: ALL: (/usr/sbin/safe_finger \-l @%h | \e
+	/usr/bin/mail \-s %d-%h root) &
 .fi
 .PP
 The safe_finger command comes with the tcpd wrapper and should be
@@ -359,9 +360,9 @@ that shouldn\'t.  All problems are repor
 .fi
 .SH SEE ALSO
 .nf
-hosts_options(5) extended syntax.
-tcpd(8) tcp/ip daemon wrapper program.
-tcpdchk(8), tcpdmatch(8), test programs.
+.BR hosts_options "(5) extended syntax."
+.BR tcpd "(8) tcp/ip daemon wrapper program."
+.BR tcpdchk "(8), " tcpdmatch "(8), test programs."
 .SH BUGS
 If a name server lookup times out, the host name will not be available
 to the access control software, even though the host is registered.
--- a/hosts_options.5
+++ b/hosts_options.5
@@ -3,14 +3,18 @@
 hosts_options \- host access control language extensions
 .SH DESCRIPTION
 This document describes extensions to the language described
-in the hosts_access(5) document.
+in the
+.BR hosts_access (5)
+document.
 .PP
 The extensible language uses the following format:
 .sp
 .ti +3
 daemon_list : client_list : option : option ...
 .PP
-The first two fields are described in the hosts_access(5) manual page.
+The first two fields are described in the
+.BR hosts_access (5)
+manual page.
 The remainder of the rules is a list of zero or more options.  Any ":"
 characters within options should be protected with a backslash.
 .PP
@@ -26,8 +30,8 @@ names (such as mail) are optional, and a
 with older syslog implementations. The severity option can be used
 to emphasize or to ignore specific events.
 .SH ACCESS CONTROL
-.IP "allow"
-.IP "deny"
+.IP allow
+.IP deny
 Grant (deny) service. These options must appear at the end of a rule.
 .PP
 The \fIallow\fR and \fIdeny\fR keywords make it possible to keep all
@@ -54,18 +58,19 @@ Notice the leading dot on the domain nam
 .SH RUNNING OTHER COMMANDS
 .IP "spawn shell_command"
 Execute, in a child process, the specified shell command, after
-performing the %<letter> expansions described in the hosts_access(5)
+performing the %<letter> expansions described in the
+.BR hosts_access (5)
 manual page.  The command is executed with stdin, stdout and stderr
 connected to the null device, so that it won't mess up the
 conversation with the client host. Example:
 .sp
 .nf
 .ti +3
-spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
+spawn (/usr/sbin/safe_finger \-l @%h | /usr/bin/mail root) &
 .fi
 .sp
 executes, in a background child process, the shell command "safe_finger
--l @%h | mail root" after replacing %h by the name or address of the
+\-l @%h | mail root" after replacing %h by the name or address of the
 remote host.
 .sp
 The example uses the "safe_finger" command instead of the regular
@@ -76,7 +81,8 @@ the data sent by the remote host.
 .IP "twist shell_command"
 Replace the current process by an instance of the specified shell
 command, after performing the %<letter> expansions described in the
-hosts_access(5) manual page.  Stdin, stdout and stderr are connected to
+.BR hosts_access (5)
+manual page.  Stdin, stdout and stderr are connected to
 the client process. This option must appear at the end of a rule.
 .sp
 To send a customized bounce message to the client instead of
@@ -99,10 +105,12 @@ in.telnetd : ... : twist PATH=/some/othe
 .fi
 .sp
 Warning:  in case of UDP services, do not twist to commands that use
-the standard I/O or the read(2)/write(2) routines to communicate with
+the standard I/O or the
+.BR read (2)/ write (2)
+routines to communicate with
 the client process; UDP requires other I/O primitives.
 .SH NETWORK OPTIONS
-.IP "keepalive"
+.IP keepalive
 Causes the server to periodically send a message to the client.  The
 connection is considered broken when the client does not respond. The
 keepalive option can be useful when users turn off their machine while
@@ -116,7 +124,7 @@ data after the server process closes a c
 Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413)
 protocol.  This option is silently ignored in case of services based on
 transports other than TCP.  It requires that the client system runs an
-RFC 931 (IDENT, etc.) -compliant daemon, and may cause noticeable
+RFC 931 (IDENT, etc.\&) -compliant daemon, and may cause noticeable
 delays with connections from non-UNIX clients.  The timeout period is
 optional. If no timeout is specified a compile-time defined default
 value is taken.
@@ -126,7 +134,9 @@ Look for a file in `/some/directory\' wi
 process (for example in.telnetd for the telnet service), and copy its
 contents to the client. Newline characters are replaced by
 carriage-return newline, and %<letter> sequences are expanded (see
-the hosts_access(5) manual page).
+the
+.BR hosts_access (5)
+manual page).
 .sp
 The tcp wrappers source code distribution provides a sample makefile
 (Banners.Makefile) for convenient banner maintenance.
@@ -158,13 +168,14 @@ When a syntax error is found in an acces
 is reported to the syslog daemon; further options will be ignored,
 and service is denied.
 .SH SEE ALSO
-hosts_access(5), the default access control language
+.BR hosts_access (5),
+the default access control language
 .SH AUTHOR
 .na
 .nf
 Wietse Venema (wietse@wzv.win.tue.nl)
 Department of Mathematics and Computing Science
 Eindhoven University of Technology
-Den Dolech 2, P.O. Box 513, 
+Den Dolech 2, P.O.\& Box 513, 
 5600 MB Eindhoven, The Netherlands
-\" @(#) hosts_options.5 1.10 94/12/28 17:42:28
+.\" @(#) hosts_options.5 1.10 94/12/28 17:42:28
