From owner-freebsd-doc@FreeBSD.ORG Fri Apr 24 08:55:32 2009 Return-Path: Delivered-To: freebsd-doc@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10EA61065670; Fri, 24 Apr 2009 08:55:32 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from gloomweaver.pittgoth.com (gloomweaver.pittgoth.com [205.134.165.107]) by mx1.freebsd.org (Postfix) with ESMTP id BF1188FC17; Fri, 24 Apr 2009 08:55:30 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from localhost.fbsdsecure.org (net-ix.gw.ai.net [205.134.160.6]) (authenticated bits=0) by gloomweaver.pittgoth.com (8.14.3/8.14.3) with ESMTP id n3O91e69043418 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 24 Apr 2009 05:01:40 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Fri, 24 Apr 2009 04:55:19 -0400 From: Tom Rhodes To: Manolis Kiagias Message-Id: <20090424045519.337d3b4d.trhodes@FreeBSD.org> In-Reply-To: <49F17583.4070200@gmail.com> References: <49E796E6.70709@gmail.com> <20090424022336.3f4c6792.trhodes@FreeBSD.org> <49F17583.4070200@gmail.com> X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; amd64-portbld-freebsd8.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: pepper@cbio.mskcc.org, trhodes@FreeBSD.org, pgj@FreeBSD.org, freebsd-doc@FreeBSD.org, keramida@FreeBSD.org, gabor@FreeBSD.org Subject: Re: [PATCH] for the 'firewalls' chapter X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Apr 2009 08:55:32 -0000 On Fri, 24 Apr 2009 11:17:07 +0300 Manolis Kiagias wrote: > Tom Rhodes wrote: > > Hey Manolis, > > > > My review, as promised, please see comments in line. I'm sorry > > it came so late! Thanks! > > > > > > Thank you Tom! Integrated most of your changes and the patch and build > are updated: > > http://people.freebsd.org/~manolis/firewalls.diff > > http://www.freebsdgr.org/handbook-mine/firewalls.html > > Few more comments below: > > ALTQ with > > - PF. Traffic shaping for IPFILTER can currently > > - be done with IPFILTER for NAT and filtering and > > + PF. Traffic shaping for IPFILTER can currently > > + be done with IPFILTER for NAT and filtering and > > IPFW with &man.dummynet.4; > > > > Too many "and" in this sentence. How about: > > > > "Traffic shaping for IPFILTER can currently be done with IPFILTER > > for NAT. IPFW filtering is handled via the &man.dummynet.4; > > driver ..." > > > > Perhaps the entire paragraph should be re-worded after we > > commit these other changes? > > > > > > Yes, the entire paragraph makes no sense for me. If you (or anyone > else) can come up with an alternative, it would be nice to include in > this (already too long) patch... Good. :) I just tried and really, perhaps it's just too early, but I'm at a loss. > > > Are we using "rule set" or "ruleset" because up above it was just > > one word. We should come to a conclusion and run a %s/one/right one/g > > across this chapter then. :) > > > > > > > > True. I changed everything to 'ruleset' for consistency. Awesome. > > > + > > There is no way to match ranges of IP addresses which > > - do not express themselves easily as mask-length. See this > > + do not express themselves easily using the dotted numeric > > + form / mask-length notation. See this > > web page for help on writing mask-length: > url="http://jodies.de/ipcalc">. > > > > It's a port too, that ipcalc utility. :) > > > > > > > > Added this info too, thanks! Awesome. > > > There are some additional configuration statements that > > need to be enabled to activate the NAT > > - function of IPFW. The kernel source needs 'option IPDIVERT' > > + function of IPFW. The kernel source needs option IPDIVERT > > > > > > I've always used: > > > > option SOMEOPTION > > > > But that's probably not a huge deal. > > > > > > Well, I prefer for in-paragraph one liners and > for longer separate sections. Sure, I'm fine with that. :) -- Tom Rhodes