From owner-freebsd-doc@FreeBSD.ORG Mon Sep 20 16:13:00 2004 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EA0516A4CE; Mon, 20 Sep 2004 16:13:00 +0000 (GMT) Received: from aiolos.otenet.gr (aiolos.otenet.gr [195.170.0.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3248643D49; Mon, 20 Sep 2004 16:12:59 +0000 (GMT) (envelope-from keramida@freebsd.org) Received: from orion.daedalusnetworks.priv (host5.bedc.ondsl.gr [62.103.39.229])i8KGCtp1028151; Mon, 20 Sep 2004 19:12:55 +0300 Received: from orion.daedalusnetworks.priv (orion [127.0.0.1]) i8KGCkC4038174; Mon, 20 Sep 2004 19:12:46 +0300 (EEST) (envelope-from keramida@freebsd.org) Received: (from keramida@localhost)i8KGCkIg038173; Mon, 20 Sep 2004 19:12:46 +0300 (EEST) (envelope-from keramida@freebsd.org) Date: Mon, 20 Sep 2004 19:12:46 +0300 From: Giorgos Keramidas To: Ceri Davies , Brad Davis Message-ID: <20040920161246.GA19738@orion.daedalusnetworks.priv> References: <20040918.161309.35654157.hrs@eos.ocn.ne.jp> <20040919105246.GW1538@submonkey.net> <200409191740.06579.so14k@so14k.com> <200409191905.56649.so14k@so14k.com> <20040920110628.GA2493@submonkey.net> <20040920133025.GB38865@orion.daedalusnetworks.priv> <20040920140759.GD2493@submonkey.net> <20040920141604.GA1156@orion.daedalusnetworks.priv> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20040920141604.GA1156@orion.daedalusnetworks.priv> cc: freebsd-doc@freebsd.org Subject: Re: New firewall section (was: Re: HEADS UP: doc/ slush begins) X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2004 16:13:00 -0000 On 2004-09-20 17:16, Giorgos Keramidas wrote: > On 2004-09-20 15:07, Ceri Davies wrote: > > If you're available now, and would like to work at this, please do. > > I'm at work, so there's an upper limit of the time I can spend on > `other' tasks, but I'll try to send you a review until later tonight :) I think this needs a fair bit of work, but if I find the time to sit down and reorganize, copy, paste, merge and test all of the changes I have in mind, I'll reply again later tonight. Right now, all I have is a comparative TOC for the two sections (before and after the patch submitted by Brad). OLD LAYOUT | NEW LAYOUT ========================================|====================================== | + Introduction | + Introduction | + What Is a Firewall? | + Firewall Rule Set Types - Packet Filtering Routers | - Proxy Servers | + Firewall Software Applications | + What does IPFW allow me to do? | + OpenBSD's PF Firewall | + Enabling IPFW on FreeBSD | + The IPFILTER (IPF) Firewall | - Enabling IPF + Configuring IPFW | - Kernel Options - Altering the IPFW Rules | - Available rc.conf Options - Listing the IPFW Rules | - IPF - Flushing the IPFW Rules | - IPFSTAT - Clearing the IPFW Packet Counters | - IPMON | - IPMON Logging + Example Commands for IPFW | - The Format of Logged Messages | - Building the Rule Script + Building a Packet Filtering Firewall | - IPF Rule Sets | - IPF Rule Syntax + IPFW Overhead and Optimization | . ACTION | . IN-OUT | . OPTIONS | . SELECTION | . PROTO | . SRC_ADDR/DST_ADDR | . PORT | . TCP_FLAG | . STATEFUL | - Stateful Filtering | - Inclusive Rule set Example | - NAT | - IPNAT | - IPNAT Rules | - How NAT Works | - Enabling IPNAT | - NAT for a Very Large LAN | . Assigning Ports to Use | . Using a pool of public | addresses | - Port Redirection | - FTP and NAT | . IPNAT Rules | . IPNAT FTP Filter Rules | . FTP NAT Proxy Bug | | + IPFW | - Enabling IPFW | - Kernel Options | - /etc/rc.conf Options | - The IPFW Command | - IPFW Rule Sets | . Rule Syntax | . CMD | . RULE# | . ACTION | . Logging | . Selection | . Stateful Rule Option | . Logging Firewall Messages | . Building Rule Script | . Stateful Ruleset | . An Example Inclusive Ruleset | . An Example NAT and Stateful | Ruleset | ________________________________________|______________________________________ It's obvious with just a quick glance that the proposed patch contains a hell of a lot more material than the original chapter. It also removes some parts that I consider useful[1]; it lacks a fair bit in the area of organization and presentation of the topics discussed[2]; it contains several forward references[3] and pushes with a bit more strength than I'd like for an ``inclusive'' type of firewall for all FreeBSD installations. Most of these, especially the last point, are things I've discussed with Joseph J. Barbish in the past on -questions and privately. Now that this has finally (yeah, it was abou time!) started being integrated to the Handbook, I'd like to ask for approval from Joseph, Brad (who put a tremendous amount of work in this already), Ceri and our translators to hold back for a couple of days until I reshape this a bit. It's great stuff. I most certainly want it in the Handbook for 5.3-RELEASE. But it's going to take at least a couple of days until I have something to show you all, and I'm not sure if asking for a delay so close to the tagging of the doc/ tree for 5.3-RELEASE is reasonable. What do you all think? Do we have the time to spend a few days organizing, enhancing and bringing this new wonderful piece of documentation into the Handbook? It's a big diff (more than 3000 lines now) and I'm a bit worried the translators won't really have the time to work on this even if it goes in CVS tonight. - Giorgos PS: I don't have Joseph's email address anymore. Can someone (i.e. Brad) forward this to him, in case he's not subscribed to the -doc list. ----- Notes ----- [1] I'm referring to the IPFW overhead section and the introductory material of the original text which is IMHO in a better shape and contains a lot more details about what this section is about, what a firewall is and why it's useful. [2] The sub-sections and sub-sub-sections of IPF and IPFW seem to be just a mixed listing of concepts, commands, tools and ideas. I'd prefer something that resembled `theoretical background' near the beginning and a `task driven' list at the end of each different firewall-type with a lot of the common theory stuff moved as far up as possible. [3] For instance, in the IPF sub-section ``Building the Rule Script'' is before the explanation of what a ``rule set'' is. There are a few more, but I have to give a good look at this before I decide what's in the right place and what is not.