Date: Fri, 21 Jan 2005 05:32:18 -0700 (MST) From: Brad Davis <so14k@so14k.com> To: FreeBSD-gnats-submit@FreeBSD.org Subject: docs/76533: Misc punctuation fixes for the FW chapter. Message-ID: <20050121123218.88022E7B@mccaffrey.house.so14k.com> Resent-Message-ID: <200501211240.j0LCeR6j010294@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 76533
>Category: docs
>Synopsis: Misc punctuation fixes for the FW chapter.
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Jan 21 12:40:26 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: Brad Davis
>Release: FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD mccaffrey.house.so14k.com 4.10-STABLE FreeBSD 4.10-STABLE #0: Fri May 28 08:02:41 MDT 2004 root@mccaffrey.house.so14k.com:/usr/obj/usr/src/sys/MCCAFFREY i386
>Description:
1. Remove a space before a period.
2. Remove a space before a comma.
3. s/2/two/
4. Fix spacing around a parentheses.
5. s/dns/DNS/
6. Add note about using a cronjob to flush the rules every so often to prevent locking oneself out.
7. Add missing beginning.
8. Remove another space before a period.
9. Add a missing period
10. s/2/two/
11. Ack! Remove the XXXBLAH I left and replace it with something useful.
12. s/\./:/
13. Add a missing :
14. Fix wording.
>How-To-Repeat:
>Fix:
--- doc-ori/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml Wed Jan 19 07:01:03 2005
+++ doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml Fri Jan 21 05:24:47 2005
@@ -336,8 +336,8 @@
method see: <ulink
url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>;
and <ulink
- url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>;
- .</para>
+ url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.
+ </para>
<para>The IPF FAQ is at <ulink
url="http://www.phildev.net/ipf/index.html"></ulink>.</para>;
@@ -350,8 +350,8 @@
ipfilter_enable="YES"</literal> is used. The loadable
module was created with logging enabled and the <literal>default
pass all</literal> options. You do not need to compile IPF into
- the &os; kernel just to change the default to <literal>block all
- </literal>, you can do that by just coding a block all rule at
+ the &os; kernel just to change the default to <literal>block
+ all</literal>, you can do that by just coding a block all rule at
the end of your rule set.</para>
</sect2>
@@ -521,8 +521,8 @@
<title>IPMON</title>
<para>In order for <command>ipmon</command> to work properly, the
kernel option IPFILTER_LOG must be turned on. This command has
- 2 different modes that it can be used in. Native mode is the default
- mode when you type the command on the command line without the
+ two different modes that it can be used in. Native mode is the
+ default mode when you type the command on the command line without the
<option>-D</option> flag.</para>
<para>Daemon mode is for when you want to have a continuous
@@ -595,11 +595,12 @@
<para>To activate the changes to <filename>/etc/syslog.conf
</filename> you can reboot or bump the syslog task into
re-reading <filename>/etc/syslog.conf</filename> by running
- <command>/etc/rc.d/syslogd restart</command> (<command>
- kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
- identifier) by listing the tasks with the <command>ps -ax</command>
- command. Find syslog in the display and the PID is the number
- in the left column).</para>
+ <command>/etc/rc.d/syslogd restart</command>
+ (<command>kill -HUP <replaceable>PID</replaceable></command>
+ in &os; 4.x. You get the PID (i.e. process identifier) by
+ listing the tasks with the <command>ps -ax</command> command.
+ Find syslog in the display and the PID is the number in the
+ left column).</para>
<para>Do not forget to change <filename>/etc/newsyslog.conf
</filename> to rotate the new log you just created above.
@@ -708,7 +709,7 @@
<programlisting>############# Start of IPF rules script ########################
oif="dc0" # name of the outbound interface
-odns="192.0.2.11" # ISP's dns server IP address
+odns="192.0.2.11" # ISP's DNS server IP address
myip="192.0.2.7" # my static IP address from ISP
ks="keep state"
fks="flags S keep state"
@@ -809,7 +810,10 @@
<note>
<para>Warning, when working with the firewall rules, always,
always do it from the root console of the system running the
- firewall or you can end up locking your self out.</para>
+ firewall or you can end up locking your self out. Or setup a
+ cronjob to flush the Firewall rules say every 5 minutes.
+ (This might not be acceptable for a corporate firewall, but
+ should be for a home firewall.)</para>
</note>
</sect2>
@@ -820,7 +824,7 @@
rule wins</quote> logic. For the complete legacy rule syntax
description see the &man.ipf.8; manual page.</para>
- <para><literal>#</literal> is used to mark the start of a comment and may appear at
+ <para>A <literal>#</literal> is used to mark the start of a comment and may appear at
the end of a rule line or on its own line. Blank lines are
ignored.</para>
@@ -1444,7 +1448,7 @@
<para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command>
command. Typically the <acronym>NAT</acronym> rules are stored
- in <filename>/etc/ipnat.rules </filename>. See &man.ipnat.1
+ in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.1
for details.</para>
<para>When changing the <acronym>NAT</acronym> rules after
@@ -1535,7 +1539,7 @@
<title>Enabling IP<acronym>NAT</acronym></title>
<para>To enable IP<acronym>NAT</acronym> add these statements to
- <filename>/etc/rc.conf</filename></para>
+ <filename>/etc/rc.conf</filename>.</para>
<para>To enable your machine to route traffic between
interfaces:</para>
@@ -1561,12 +1565,14 @@
becomes a resource problem that may cause problems with the same
port numbers being used many times across many
<acronym>NAT</acronym>ed LAN PC's, causing collisions. There
- are 2 ways to relieve this resource problem.</para>
+ are two ways to relieve this resource problem.</para>
<sect3>
<title>Assigning Ports to Use</title>
<!-- What does it mean ? Is there something missing ?-->
- <para>XXXBLAH</para>
+ <!-- XXXBLAH <- Apparently you can't start a sect
+ with a <programlisting> tag ?-->
+ <para>A normal NAT rule would look like:</para>
<programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>
@@ -1672,12 +1678,12 @@
<programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
- <para>This rule handles the FTP traffic from the gateway.</para>
+ <para>This rule handles the FTP traffic from the gateway:</para>
<programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
<para>This rule handles all non-FTP traffic from the internal
- LAN.</para>
+ LAN:</para>
A <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
@@ -1701,7 +1707,7 @@
<acronym>NAT</acronym> FTP proxy is used.</para>
<para>Without the FTP Proxy you will need the following three
- rules</para>
+ rules:</para>
<programlisting># Allow out LAN PC client FTP to public Internet
# Active and passive modes
@@ -1724,14 +1730,13 @@
logged coming in on port 21. The <acronym>NAT</acronym>
FTP/proxy appears to remove its temp rules prematurely,
before receiving the response from the remote FTP server
- acknowledging the close. Posted problem report to ipf
- mailing list.</para>
+ acknowledging the close. A problem report was posted to the
+ IPF mailing list.</para>
- <para>Solution is to add filter rule like this one to get rid
+ <para>The solution is to add filter rule like this one to get rid
of these unwanted log messages or do nothing and ignore FTP
- inbound error messages in your log. Not like you do FTP
- session to the public Internet all the time, so this is not
- a big deal.</para>
+ inbound error messages in your log. Most people don't do
+ outbound FTP too often.</para>
<programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting>
</sect3>
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050121123218.88022E7B>