Date: Thu, 24 Jan 2013 14:28:06 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r40732 - head/en_US.ISO8859-1/books/handbook/firewalls Message-ID: <201301241428.r0OES60F065628@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Jan 24 14:28:05 2013 New Revision: 40732 URL: http://svnweb.freebsd.org/changeset/doc/40732 Log: Minor content fix which addresses incorrect usage of it's, Let's, and most redundant word errors. Approved by: bcr (mentor) Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Jan 24 10:39:46 2013 (r40731) +++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Jan 24 14:28:05 2013 (r40732) @@ -720,7 +720,7 @@ ipnat_rules="/etc/ipnat.rules" # rule as a result of applying the user coded rules against packets going in and out of the firewall since it was last started, or since the last time the accumulators were reset to zero - by the <command>ipf -Z</command> command.</para> + using <command>ipf -Z</command>.</para> <para>See the &man.ipfstat.8; manual page for details.</para> @@ -776,8 +776,8 @@ ipnat_rules="/etc/ipnat.rules" # rule 354727 block out on dc0 from any to any 430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen> - <para>One of the most important functions of the - <command>ipfstat</command> command is the <option>-t</option> + <para>One of the most important functions of + <command>ipfstat</command> is the <option>-t</option> flag which displays the state table in a way similar to the way &man.top.1; shows the &os; running process table. When your firewall is under attack, this function gives you the @@ -813,7 +813,7 @@ ipnat_rules="/etc/ipnat.rules" # rule automatically rotate system logs. That is why outputting the log information to &man.syslogd.8; is better than the default of outputting to a regular file. In the default - <filename>rc.conf</filename> file, the + <filename>rc.conf</filename>, the <literal>ipmon_flags</literal> statement uses the <option>-Ds</option> flags:</para> @@ -866,8 +866,8 @@ LOG_ERR - packets which have been logged <screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen> <para>The &man.syslogd.8; function is controlled by definition - statements in the <filename>/etc/syslog.conf</filename> file. - The <filename>syslog.conf</filename> file offers considerable + statements in <filename>/etc/syslog.conf</filename>. + This file offers considerable flexibility in how <application>syslog</application> will deal with system messages issued by software applications like IPF.</para> @@ -915,7 +915,7 @@ LOG_ERR - packets which have been logged </listitem> <listitem> - <para>The group and rule number of the rule, e.g. + <para>The group and rule number of the rule, e.g., <literal>@0:17</literal>.</para> </listitem> </orderedlist> @@ -1053,7 +1053,7 @@ EOF <listitem> <para>Disable IPFILTER in system startup scripts by adding <literal>ipfilter_enable="NO"</literal> (this is default - value) into <filename>/etc/rc.conf</filename> file.</para> + value) to <filename>/etc/rc.conf</filename>.</para> <para>Add a script like the following to your <filename @@ -1541,8 +1541,8 @@ sh /etc/ipf.rules.script</programlisting operating system of your server.</para> <para>Any time there are logged messages on a rule with - the <literal>log first</literal> option, an - <command>ipfstat -hio</command> command should be executed + the <literal>log first</literal> option, + <command>ipfstat -hio</command> should be executed to evaluate how many times the rule has actually matched. Large number of matches usually indicate that the system is being flooded (i.e.: under attack).</para> @@ -1710,7 +1710,7 @@ block in log first quick on dc0 proto tc block in log first quick on dc0 proto tcp/udp from any to any port = 81 # Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it's the only +# the IP address of your ISP's DHCP server as it is the only # authorized source to send this packet type. Only necessary for # cable or DSL configurations. This rule is not needed for # 'user ppp' type connection to the public Internet. @@ -1772,7 +1772,7 @@ block in log first quick on dc0 all dynamic IP address is used to identify your system to the public Internet.</para> - <para>Now lets say you have five PCs at home and each one needs + <para>Say you have five PCs at home and each one needs Internet access. You would have to pay your ISP for an individual Internet account for each PC and have five phone lines.</para> @@ -1847,16 +1847,16 @@ block in log first quick on dc0 all <indexterm><primary><command>ipnat</command></primary></indexterm> - <para><acronym>NAT</acronym> rules are loaded by using the - <command>ipnat</command> command. Typically the + <para><acronym>NAT</acronym> rules are loaded by using + <command>ipnat</command>. Typically the <acronym>NAT</acronym> rules are stored in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.8; for details.</para> <para>When changing the <acronym>NAT</acronym> rules after <acronym>NAT</acronym> has been started, make your changes to - the file containing the NAT rules, then run the - <command>ipnat</command> command with the <option>-CF</option> + the file containing the NAT rules, then run + <command>ipnat</command> with the <option>-CF</option> flags to delete the internal in use <acronym>NAT</acronym> rules and flush the contents of the translation table of all active entries.</para> @@ -2304,8 +2304,8 @@ net.inet.ip.fw.verbose_limit=5</programl <programlisting>firewall_enable="YES"</programlisting> <para>To select one of the default firewall types provided by - &os;, select one by reading the - <filename>/etc/rc.firewall</filename> file and place it in + &os;, select one by reading + <filename>/etc/rc.firewall</filename> and place it in the following:</para> <programlisting>firewall_type="open"</programlisting> @@ -2388,8 +2388,7 @@ ipfw add deny out</programlisting> linkend="firewalls-ipfw-enable"/>). There is no <filename>rc.conf</filename> variable to set log limitations, but it can be set via sysctl variable, manually - or from the <filename>/etc/sysctl.conf</filename> - file:</para> + or from <filename>/etc/sysctl.conf</filename>:</para> <programlisting>net.inet.ip.fw.verbose_limit=5</programlisting> </warning> @@ -2610,8 +2609,7 @@ ipfw add deny out</programlisting> cases, a value of zero removes the logging limit. Once the limit is reached, logging can be re-enabled by clearing the logging counter or the packet counter for - that rule, see the <command>ipfw reset log</command> - command.</para> + that rule, use <command>ipfw reset log</command>.</para> <note> <para>Logging is done after @@ -2779,7 +2777,7 @@ ipfw add deny out</programlisting> down attackers.</para> <para>Even with the logging facility enabled, IPFW will not - generate any rule logging on it's own. The firewall + generate any rule logging on its own. The firewall administrator decides what rules in the ruleset will be logged, and adds the <literal>log</literal> verb to those rules. Normally only deny rules are logged, like the deny @@ -2816,9 +2814,8 @@ ipfw add deny out</programlisting> <programlisting>last message repeated 45 times</programlisting> <para>All logged packets messages are written by default to - <filename>/var/log/security</filename> file, which is - defined in the <filename>/etc/syslog.conf</filename> - file.</para> + <filename>/var/log/security</filename>, which is + defined in <filename>/etc/syslog.conf</filename>.</para> </sect3> <sect3 id="firewalls-ipfw-rules-script"> @@ -2864,8 +2861,8 @@ ks="keep-state" # just too lazy t in this example, how the symbolic substitution field are populated and used are.</para> - <para>If the above example was in the - <filename>/etc/ipfw.rules</filename> file, the rules could + <para>If the above example was in + <filename>/etc/ipfw.rules</filename>, the rules could be reloaded by entering the following on the command line.</para> @@ -3223,7 +3220,7 @@ natd_flags="-dynamic -m" # -m <literal>skipto rule 500</literal> for the network address translation.</para> - <para>Lets say a LAN user uses their web browser to get a web + <para>Say a LAN user uses their web browser to get a web page. Web pages are transmitted over port 80. So the packet enters the firewall. It does not match rule 100 because it is headed out rather than in. It passes rule @@ -3231,7 +3228,7 @@ natd_flags="-dynamic -m" # -m posted to the keep-state dynamic table yet. The packet finally comes to rule 125 a matches. It is outbound through the NIC facing the public Internet. The packet still has - it's source IP address as a private LAN IP address. On + its source IP address as a private LAN IP address. On the match to this rule, two actions take place. The <literal>keep-state</literal> option will post this rule into the keep-state dynamic rules table and the specified @@ -3254,14 +3251,14 @@ natd_flags="-dynamic -m" # -m entry is found, the associated action, <literal>skipto 500</literal>, is executed. The packet jumps to rule 500 gets <acronym>NAT</acronym>ed and released - on it's way out.</para> + on its way out.</para> <para>On the inbound side, everything coming in that is part of an existing session conversation is being automatically handled by the <literal>check-state</literal> rule and the properly placed <literal>divert natd</literal> rules. All we have to address is denying all the bad packets and only - allowing in the authorized services. Lets say there is an + allowing in the authorized services. Say there is an apache server running on the firewall box and we want people on the public Internet to be able to access the local web site. The new inbound start request packet matches rule @@ -3454,7 +3451,7 @@ pif="rl0" # public interface name of $cmd 332 deny tcp from any to any established in via $pif # Allow traffic in from ISP's DHCP server. This rule must contain -# the IP address of your ISP's DHCP server as it's the only +# the IP address of your ISP's DHCP server as it is the only # authorized source to send this packet type. # Only necessary for cable or DSL configurations. # This rule is not needed for 'user ppp' type connection to
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201301241428.r0OES60F065628>