From nobody Wed Apr 22 23:20:08 2026
X-Original-To: freebsd-doc@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4g1FZ537rxz6b3Cj
	for <freebsd-doc@mlmmj.nyi.freebsd.org>; Wed, 22 Apr 2026 23:20:13 +0000 (UTC)
	(envelope-from michaelparke74@gmail.com)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "smtp.gmail.com", Issuer "WR4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4g1FZ42Sb6z3YlB
	for <freebsd-doc@freebsd.org>; Wed, 22 Apr 2026 23:20:12 +0000 (UTC)
	(envelope-from michaelparke74@gmail.com)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=gmail.com header.s=20251104 header.b=X7efSk8A;
	dmarc=pass (policy=none) header.from=gmail.com;
	spf=pass (mx1.freebsd.org: domain of michaelparke74@gmail.com designates 2607:f8b0:4864:20::834 as permitted sender) smtp.mailfrom=michaelparke74@gmail.com
Received: by mail-qt1-x834.google.com with SMTP id d75a77b69052e-50e5ad864a6so35382591cf.0
        for <freebsd-doc@freebsd.org>; Wed, 22 Apr 2026 16:20:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1776900010; x=1777504810; darn=freebsd.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=5WL8hsTh882Wxks1N0Ar2XYlvvCKvbrZCnPKh80X+Ks=;
        b=X7efSk8A/R84ule1DkqST27ij2ViEFqI/vXk661SP21TL+lSIW7o0VZ4UzFFp5X+QX
         DtOjq+Lk+0SmUYRuTr8HRscwdUXWOQg12rzITDtTVAuZ72cx/HpW1PRLq9RCXVKV8pNT
         6fflx8OCfnSHW2lJlW2JZxZ1uIwhNQ5sgRtWDtSvZMFWZtg2O/VIiIrve39vs8xLMTIC
         Z0gnSKi+pe/khUFkqjk8uf6le7XGGdKHsgvEtWWV7hD1lNszpG+9wIyijs9GSe2KbP+W
         d+NOgvF6iSe28M8yEIT7DKsnMsSEhARaZZa5FZ/BYeVsqU4jhqj+nEAoFz7ORVKE2stl
         JWCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1776900010; x=1777504810;
        h=content-transfer-encoding:mime-version:message-id:date:subject:to
         :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=5WL8hsTh882Wxks1N0Ar2XYlvvCKvbrZCnPKh80X+Ks=;
        b=X5k0uhBGWn8uGt2Zu5cEAxC8UASZaExGh5yijTsyDEwoWtBt+vnpAUF7oaEIRDoPkT
         QzUdOeuPvEBokRmh7EUbpDXyVVOOu5f/jwiLFgbp+k+fIunvEgqBh+MRhAt8oqyDEPwh
         9OoOSb5KSjExCf5kPxjUmo2rHoiV4qCX3Znjhc1wbJqWHbVcNvSJ2NRtBgDFXeBcxsr9
         BwkJCbt5OXaji6HS1KrBdkV0hoO3I8V3mDwT/Q/xZMVfRKGcHZG+CrmJwOjFcOzpX76R
         ANuqffb4G3azWZi+sSY+s7lFCN3dHc17fRQ3dBsckbnmfaPz5Dicmt0TOnSPke62TIKu
         yRfw==
X-Gm-Message-State: AOJu0YyTNFxN5q3QF7AyhiERPkCGpbWCr1skY5oSnZ5ANfucPuGAbXYm
	pm6qOEBMZHLDXayiqKJxvd1ZRhmHncPfD3FjDnnTDeDycg0wEJELkk7NmA8hWdTDVaw=
X-Gm-Gg: AeBDievSFCR/h98xZBFYp6KzmQalUEyKZOU1dCFRk3gs6gJoKdE4qTjQRbF7wF+o5aO
	jlbkjM//iEnN8VoIMWJNLA0UTQcKQlehLwRNkLMLGZENU0kCyWY8MwKt7HTDokc/Pnedy/T9LU1
	NgDMEpeAZtykASHLOnY5cczwOlNJvtNJE6cA0dIfFzr8rqPy9/n7vXOlzIv82kS2Rd4q/gd+0zJ
	3SRM6hCeaXBBMzTEdbs+X94YtN985pq0UGDnyTJP7VgkwOHy9OrC7C4Izhz//aV9/S4HhR8MhXr
	0XcG5Zb/v4uxItgUBJkx9GqcMTCW0gwOwTtA+CFAecOZXTh5M9sqnpBVlKtLEPLwOwylVTM1mxv
	Xuo/mqTuNfEkBvQnKofQvpzz0Bb0tM2vSVJAfjx+KMXn33jmso1Vyhdo83SSxTmMcYwcbyvUH1J
	3YNsfvv2Q21h8RR2JhSt73z+wIxeigbd0=
X-Received: by 2002:ac8:5907:0:b0:50f:b732:202a with SMTP id d75a77b69052e-50fb732261amr127030051cf.27.1776900010019;
        Wed, 22 Apr 2026 16:20:10 -0700 (PDT)
Received: from debianlenovo.localnet ([2601:189:4585:42c0::5c2e])
        by smtp.gmail.com with ESMTPSA id d75a77b69052e-50e394903dfsm149202741cf.26.2026.04.22.16.20.09
        for <freebsd-doc@freebsd.org>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 22 Apr 2026 16:20:09 -0700 (PDT)
From: MP <michaelparke74@gmail.com>
X-Google-Original-From: MP <mp4761943@gmail.com>
To: freebsd-doc@freebsd.org
Subject: Suggestion for Chapter 33 (firewalls) in FreeBSD handbook
Date: Wed, 22 Apr 2026 19:20:08 -0400
Message-ID: <3407444.aeNJFYEL58@debianlenovo>
List-Id: Documentation project <freebsd-doc.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-doc
List-Help: <mailto:freebsd-doc+help@freebsd.org>
List-Post: <mailto:freebsd-doc@freebsd.org>
List-Subscribe: <mailto:freebsd-doc+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-doc+unsubscribe@freebsd.org>
Sender: owner-freebsd-doc@FreeBSD.org
MIME-Version: 1.0
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="utf-8"
X-Spamd-Result: default: False [-2.08 / 15.00];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-0.95)[-0.950];
	MID_RHS_NOT_FQDN(0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[gmail.com,none];
	CTE_CASE(0.50)[];
	R_DKIM_ALLOW(-0.20)[gmail.com:s=20251104];
	R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4864::/56];
	NEURAL_HAM_SHORT(-0.13)[-0.128];
	MIME_GOOD(-0.10)[text/plain];
	FREEMAIL_ENVFROM(0.00)[gmail.com];
	RCVD_TLS_LAST(0.00)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FREEMAIL_FROM(0.00)[gmail.com];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	RCPT_COUNT_ONE(0.00)[1];
	FROM_HAS_DN(0.00)[];
	MISSING_XM_UA(0.00)[];
	TO_DN_NONE(0.00)[];
	RCVD_COUNT_TWO(0.00)[2];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[gmail.com:+];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-doc@freebsd.org];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-doc@freebsd.org];
	DWL_DNSWL_NONE(0.00)[gmail.com:dkim];
	ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US];
	RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::834:from]
X-Rspamd-Queue-Id: 4g1FZ42Sb6z3YlB
X-Spamd-Bar: --

I think that the "if firewall_type...configuration of the system" line in 
Chapter 33 of the Handbook under IPFW is confusing because it makes it seem 
like only the "client" or "simple" IPFW presets can be modified by the rules 
specified in /etc/rc.firewall. There is nothing mentioning that, for example, 
inbound ssh connections can be allowed on the workstation preset by using 
firewall_myservices and firewall_allowservices. Furthermore, there is nothing 
that I could easily find in the handbook or in /etc/rc.firewall that indicates 
that the modifications to the default rules should be added to /etc/rc.conf to 
persist across reboots.

I think that there should be something in the handbook that says something 
like "configuring something like allowing inbound ssh connections to the 
workstation preset can be done by adding 'firewall_myservices="ssh"' and 
'firewall_allowservices="any"' as found in /etc/rc.firewall to /etc/rc.conf" 
would be helpful. Or there at least could be something indicating that all 
presets can be modified by adding rules found in /etc/rc.firewall to /etc/
rc.conf.