From 2c7b8e0e6b331ff9048bc365dbfbdfb9e7c64909 Mon Sep 17 00:00:00 2001
From: Giorgos Keramidas <keramida@FreeBSD.org>
Date: Fri, 21 Jan 2005 14:33:01 +0000
Subject: [PATCH] + Many punctuation and wording fixes:   - Whitespace before
 punctuation was removed.   - Numbers below 10 are spelled out as words.   -
 Reworded some sentences and added missing words.

+ Added a note about periodically flushing firewall rules to make sure
  one is not locked out while tinkering with rulesets.

PR:		docs/76533
Submitted by:	Brad Davis <so14k@so14k.com>
---
 .../books/handbook/firewalls/chapter.sgml     | 74 ++++++++++---------
 1 file changed, 38 insertions(+), 36 deletions(-)

diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
index fb0a2594b9..5dc392aace 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
@@ -336,8 +336,7 @@ pflog_flags=""                  # additional flags for pflogd startup</programli
       method see: <ulink
       url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
       and <ulink
-      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
-      .</para>
+      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
 
     <para>The IPF FAQ is at <ulink
       url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
@@ -350,8 +349,8 @@ pflog_flags=""                  # additional flags for pflogd startup</programli
         ipfilter_enable="YES"</literal> is used. The loadable
         module was created with logging enabled and the <literal>default
         pass all</literal> options. You do not need to compile IPF into
-        the &os; kernel just to change the default to <literal>block all
-        </literal>, you can do that by just coding a block all rule at
+        the &os; kernel just to change the default to <literal>block
+        all</literal>, you can do that by just coding a block all rule at
         the end of your rule set.</para>
     </sect2>
 
@@ -521,7 +520,7 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
        <title>IPMON</title>
        <para>In order for <command>ipmon</command> to work properly, the
          kernel option IPFILTER_LOG must be turned on. This command has
-         2 different modes that it can be used in. Native mode is the default
+         two different modes that it can be used in. Native mode is the default
          mode when you type the command on the command line without the
          <option>-D</option> flag.</para>
 
@@ -595,11 +594,8 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
        <para>To activate the changes to <filename>/etc/syslog.conf
          </filename> you can reboot or bump the syslog task into
          re-reading <filename>/etc/syslog.conf</filename> by running
-         <command>/etc/rc.d/syslogd restart</command> (<command>
-         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
-         identifier) by listing the tasks with the <command>ps -ax</command>
-         command. Find syslog in the display and the PID is the number
-         in the left column).</para>
+         <command>/etc/rc.d/syslogd restart</command>
+         (<command>killall -HUP <replaceable>syslogd</replaceable></command> in &os; 4.X).</para>
 
        <para>Do not forget to change <filename>/etc/newsyslog.conf
          </filename> to rotate the new log you just created above.
@@ -708,7 +704,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
 <programlisting>############# Start of IPF rules script ########################
 
 oif="dc0"            # name of the outbound interface
-odns="192.0.2.11"    # ISP's dns server IP address
+odns="192.0.2.11"    # ISP's DNS server IP address
 myip="192.0.2.7"     # my static IP address from ISP
 ks="keep state"
 fks="flags S keep state"
@@ -777,7 +773,7 @@ sh /etc/ipf.rules.script</programlisting>
          packets based on the values contained in the packet. The
          bi-directional exchange of packets between hosts comprises a
          session conversation. The firewall rule set processes the
-         packet 2 times, once on its arrival from the public Internet
+         packet two times, once on its arrival from the public Internet
          host and again as it leaves for its return trip back to the
          public Internet host. Each TCP/IP service (i.e. telnet, www,
          mail, etc.) is predefined by its protocol, source and
@@ -808,8 +804,12 @@ sh /etc/ipf.rules.script</programlisting>
 	<!-- XXX; should use <warning> here -->
        <note>
          <para>Warning, when working with the firewall rules, always,
-           always do it from the root console of the system running the
-           firewall or you can end up locking your self out.</para>
+           always do it on the console of the system running the
+           firewall or you can end up locking your self out.
+	   Alternatively, you may setup a cronjob to flush the
+	   firewall rules say every five minutes.
+	   This may not be acceptable for a corporate firewall,
+	   but should be ok for a home firewall.</para>
        </note>
      </sect2>
 
@@ -820,7 +820,8 @@ sh /etc/ipf.rules.script</programlisting>
          rule wins</quote> logic. For the complete legacy rule syntax
          description see the &man.ipf.8; manual page.</para>
 
-       <para><literal>#</literal> is used to mark the start of a comment and may appear at
+       <para>A <literal>#</literal> character is used to mark the
+	 start of a comment and may appear at
          the end of a rule line or on its own line. Blank lines are
          ignored.</para>
 
@@ -1376,13 +1377,13 @@ block in log first quick on dc0 all
         get assigned a different IP address. This IP address is how
         you are known to the public Internet.</para>
 
-      <para>Now lets say you have 5 PCs at home and each one needs
+      <para>Now lets say you have five PCs at home and each one needs
         Internet access. You would have to pay your ISP for an
-        individual Internet account for each PC and have 5 phone
+        individual Internet account for each PC and have five phone
         lines.</para>
 
       <para>With <acronym>NAT</acronym> you only need a single account
-        with your ISP, then cable your other 4 PCs to a switch and
+        with your ISP, then cable your other four PCs to a switch and
         the switch to the NIC in your &os; system which is going to
         service your LAN as a gateway. <acronym>NAT</acronym> will
         automatically translate the private LAN IP address for each
@@ -1444,7 +1445,7 @@ block in log first quick on dc0 all
 
       <para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command>
         command. Typically the <acronym>NAT</acronym> rules are stored
-        in <filename>/etc/ipnat.rules </filename>. See &man.ipnat.1
+        in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.1
         for details.</para>
 
       <para>When changing the <acronym>NAT</acronym> rules after
@@ -1535,7 +1536,7 @@ block in log first quick on dc0 all
       <title>Enabling IP<acronym>NAT</acronym></title>
 
       <para>To enable IP<acronym>NAT</acronym> add these statements to
-        <filename>/etc/rc.conf</filename></para>
+        <filename>/etc/rc.conf</filename>.</para>
 
       <para>To enable your machine to route traffic between
         interfaces:</para>
@@ -1561,12 +1562,14 @@ block in log first quick on dc0 all
         becomes a resource problem that may cause problems with the same
         port numbers being used many times across many
         <acronym>NAT</acronym>ed LAN PC's, causing collisions. There
-        are 2 ways to relieve this resource problem.</para>
+        are two ways to relieve this resource problem.</para>
 
       <sect3>
         <title>Assigning Ports to Use</title>
         <!-- What does it mean ? Is there something missing ?-->
-        <para>XXXBLAH</para>
+        <!-- XXXBLAH <- Apparently you can't start a sect
+             with a <programlisting> tag ?-->
+        <para>A normal NAT rule would look like:</para>
 
         <programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>
 
@@ -1672,12 +1675,12 @@ block in log first quick on dc0 all
 
         <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
-        <para>This rule handles the FTP traffic from the gateway.</para>
+        <para>This rule handles the FTP traffic from the gateway:</para>
 
         <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
         <para>This rule handles all non-FTP traffic from the internal
-          LAN.</para>
+          LAN:</para>
 
         <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
 
@@ -1701,7 +1704,7 @@ block in log first quick on dc0 all
           <acronym>NAT</acronym> FTP proxy is used.</para>
 
         <para>Without the FTP Proxy you will need the following three
-          rules</para>
+          rules:</para>
 
         <programlisting># Allow out LAN PC client FTP to public Internet
 # Active and passive modes
@@ -1724,14 +1727,13 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
           logged coming in on port 21. The <acronym>NAT</acronym>
           FTP/proxy appears to remove its temp rules prematurely,
           before receiving the response from the remote FTP server
-          acknowledging the close.  Posted problem report to ipf
-          mailing list.</para>
+          acknowledging the close. A problem report was posted to the
+          IPF mailing list.</para>
 
-        <para>Solution is to add filter rule like this one to get rid
+        <para>The solution is to add a filter rule to get rid
           of these unwanted log messages or do nothing and ignore FTP
-          inbound error messages in your log. Not like you do FTP
-          session to the public Internet all the time, so this is not
-          a big deal.</para>
+          inbound error messages in your log. Most people do not use
+          outbound FTP too often.</para>
 
         <programlisting>block in quick on rl0 proto tcp from any to any port = 21</programlisting>
       </sect3>
@@ -1758,7 +1760,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
       be unleashed. Providing that level of explanation is out of the
       scope of this section of the handbook.</para>
 
-    <para>IPFW is composed of 7 components, the primary component is
+    <para>IPFW is composed of seven components, the primary component is
       the kernel firewall filter rule processor and its integrated
       packet accounting facility, the logging facility, the 'divert'
       rule which triggers the <acronym>NAT</acronym> facility, and the
@@ -1820,7 +1822,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
         particular rule is to be logged. Without this option, each
         repeated occurrences of the same packet will be logged, and
         eventually consuming all the free disk space resulting in
-        services being denied do to lack of resources. The 5 is the
+        services being denied do to lack of resources. The number <literal>5</literal> is the
         number of consecutive times to log evidence of this unique
         occurrence.</para>
 
@@ -1932,7 +1934,7 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
         packets based on the values contained in the packet. The
         bi-directional exchange of packets between hosts comprises a
         session conversation. The firewall rule set processes the
-        packet 2 times, once on its arrival from the public Internet
+        packet twice: once on its arrival from the public Internet
         host and again as it leaves for its return trip back to the
         public Internet host. Each tcp/ip service (i.e. telnet, www,
         mail, etc.) is predefined by its protocol, and port number.
@@ -2207,7 +2209,7 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
             the kernel, the number of consecutive messages concerning
             a particular rule is capped at the number specified. There
             is nothing to be gained from 200 log messages saying the
-            same identical thing. For instance, 5 consecutive messages
+            same identical thing. For instance, five consecutive messages
             concerning a particular rule would be logged to syslogd,
             the remainder identical consecutive messages would be
             counted and posted to the syslogd with a phrase like
@@ -2334,7 +2336,7 @@ ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</p
             keep state stateful table.</para>
 
           <para>The Inbound section has all the blocking of undesirable
-            packets first for 2 different reasons. First is these things
+            packets first for two different reasons. First is these things
             being blocked may be part of an otherwise valid packet which
             may be allowed in by the later authorized service rules.
             Second reason is that by having a rule that explicitly