+ Many punctuation and wording fixes:

- Whitespace before punctuation was removed. - Numbers below 10 are spelled out as words. - Reworded some sentences and added missing words. + Added a note about periodically flushing firewall rules to make sure one is not locked out while tinkering with rulesets. PR: docs/76533 Submitted by: Brad Davis <so14k@so14k.com>
svn path=/head/; revision=23612
2005-01-21 14:33:01 +00:00 · 2005-01-21 14:33:01 +00:00 · 2c7b8e0e6b · 2020-12-08 03:00:23 +00:00
commit 2c7b8e0e6b
parent 52b9a67c85
1 changed files with 38 additions and 36 deletions
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
@ -336,8 +336,7 @@ pflog_flags=""                  # additional flags for pflogd startup</programli
      method see: <ulink
      url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
      and <ulink
-      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
-      .</para>
+      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>

    <para>The IPF FAQ is at <ulink
      url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
@ -350,8 +349,8 @@ pflog_flags=""                  # additional flags for pflogd startup</programli
        ipfilter_enable="YES"</literal> is used. The loadable
        module was created with logging enabled and the <literal>default
        pass all</literal> options. You do not need to compile IPF into
-        the &os; kernel just to change the default to <literal>block all
-        </literal>, you can do that by just coding a block all rule at
+        the &os; kernel just to change the default to <literal>block
+        all</literal>, you can do that by just coding a block all rule at
        the end of your rule set.</para>
    </sect2>

@ -521,7 +520,7 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
       <title>IPMON</title>
       <para>In order for <command>ipmon</command> to work properly, the
         kernel option IPFILTER_LOG must be turned on. This command has
-         2 different modes that it can be used in. Native mode is the default
+         two different modes that it can be used in. Native mode is the default
         mode when you type the command on the command line without the
         <option>-D</option> flag.</para>

@ -595,11 +594,8 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
       <para>To activate the changes to <filename>/etc/syslog.conf
         </filename> you can reboot or bump the syslog task into
         re-reading <filename>/etc/syslog.conf</filename> by running
-         <command>/etc/rc.d/syslogd restart</command> (<command>
-         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
-         identifier) by listing the tasks with the <command>ps -ax</command>
-         command. Find syslog in the display and the PID is the number
-         in the left column).</para>
+         <command>/etc/rc.d/syslogd restart</command>
+         (<command>killall -HUP <replaceable>syslogd</replaceable></command> in &os; 4.X).</para>

       <para>Do not forget to change <filename>/etc/newsyslog.conf
         </filename> to rotate the new log you just created above.
@ -708,7 +704,7 @@ LOG_ERR - packets which have been logged and which can be considered short</scre
 <programlisting>############# Start of IPF rules script ########################

 oif="dc0"            # name of the outbound interface
-odns="192.0.2.11"    # ISP's dns server IP address
+odns="192.0.2.11"    # ISP's DNS server IP address
 myip="192.0.2.7"     # my static IP address from ISP
 ks="keep state"
 fks="flags S keep state"
@ -777,7 +773,7 @@ sh /etc/ipf.rules.script</programlisting>
         packets based on the values contained in the packet. The
         bi-directional exchange of packets between hosts comprises a
         session conversation. The firewall rule set processes the
-         packet 2 times, once on its arrival from the public Internet
+         packet two times, once on its arrival from the public Internet
         host and again as it leaves for its return trip back to the
         public Internet host. Each TCP/IP service (i.e. telnet, www,
         mail, etc.) is predefined by its protocol, source and
@ -808,8 +804,12 @@ sh /etc/ipf.rules.script</programlisting>
 	<!-- XXX; should use <warning> here -->
       <note>
         <para>Warning, when working with the firewall rules, always,
-           always do it from the root console of the system running the
-           firewall or you can end up locking your self out.</para>
+           always do it on the console of the system running the
+           firewall or you can end up locking your self out.
+	   Alternatively, you may setup a cronjob to flush the
+	   firewall rules say every five minutes.
+	   This may not be acceptable for a corporate firewall,
+	   but should be ok for a home firewall.</para>
       </note>
     </sect2>

@ -820,7 +820,8 @@ sh /etc/ipf.rules.script</programlisting>
         rule wins</quote> logic. For the complete legacy rule syntax
         description see the &man.ipf.8; manual page.</para>

-       <para><literal>#</literal> is used to mark the start of a comment and may appear at
+       <para>A <literal>#</literal> character is used to mark the
+	 start of a comment and may appear at
         the end of a rule line or on its own line. Blank lines are
         ignored.</para>

@ -1376,13 +1377,13 @@ block in log first quick on dc0 all
        get assigned a different IP address. This IP address is how
        you are known to the public Internet.</para>

-      <para>Now lets say you have 5 PCs at home and each one needs
+      <para>Now lets say you have five PCs at home and each one needs
        Internet access. You would have to pay your ISP for an
-        individual Internet account for each PC and have 5 phone
+        individual Internet account for each PC and have five phone
        lines.</para>

      <para>With <acronym>NAT</acronym> you only need a single account
-        with your ISP, then cable your other 4 PCs to a switch and
+        with your ISP, then cable your other four PCs to a switch and
        the switch to the NIC in your &os; system which is going to
        service your LAN as a gateway. <acronym>NAT</acronym> will
        automatically translate the private LAN IP address for each
@ -1535,7 +1536,7 @@ block in log first quick on dc0 all
      <title>Enabling IP<acronym>NAT</acronym></title>

      <para>To enable IP<acronym>NAT</acronym> add these statements to
-        <filename>/etc/rc.conf</filename></para>
+        <filename>/etc/rc.conf</filename>.</para>

      <para>To enable your machine to route traffic between
        interfaces:</para>
@ -1561,12 +1562,14 @@ block in log first quick on dc0 all
        becomes a resource problem that may cause problems with the same
        port numbers being used many times across many
        <acronym>NAT</acronym>ed LAN PC's, causing collisions. There
-        are 2 ways to relieve this resource problem.</para>
+        are two ways to relieve this resource problem.</para>

      <sect3>
        <title>Assigning Ports to Use</title>
        <!-- What does it mean ? Is there something missing ?-->
-        <para>XXXBLAH</para>
+        <!-- XXXBLAH <- Apparently you can't start a sect
+             with a <programlisting> tag ?-->
+        <para>A normal NAT rule would look like:</para>

        <programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>

@ -1672,12 +1675,12 @@ block in log first quick on dc0 all

        <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>

-        <para>This rule handles the FTP traffic from the gateway.</para>
+        <para>This rule handles the FTP traffic from the gateway:</para>

        <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>

        <para>This rule handles all non-FTP traffic from the internal
-          LAN.</para>
+          LAN:</para>

        <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>

@ -1701,7 +1704,7 @@ block in log first quick on dc0 all
          <acronym>NAT</acronym> FTP proxy is used.</para>

        <para>Without the FTP Proxy you will need the following three
-          rules</para>
+          rules:</para>

        <programlisting># Allow out LAN PC client FTP to public Internet
 # Active and passive modes
@ -1724,14 +1727,13 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
          logged coming in on port 21. The <acronym>NAT</acronym>
          FTP/proxy appears to remove its temp rules prematurely,
          before receiving the response from the remote FTP server
-          acknowledging the close.  Posted problem report to ipf
-          mailing list.</para>
+          acknowledging the close. A problem report was posted to the
+          IPF mailing list.</para>

-        <para>Solution is to add filter rule like this one to get rid
+        <para>The solution is to add a filter rule to get rid
          of these unwanted log messages or do nothing and ignore FTP
-          inbound error messages in your log. Not like you do FTP
-          session to the public Internet all the time, so this is not
-          a big deal.</para>
+          inbound error messages in your log. Most people do not use
+          outbound FTP too often.</para>

        <programlisting>block in quick on rl0 proto tcp from any to any port = 21</programlisting>
      </sect3>
@ -1758,7 +1760,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
      be unleashed. Providing that level of explanation is out of the
      scope of this section of the handbook.</para>

-    <para>IPFW is composed of 7 components, the primary component is
+    <para>IPFW is composed of seven components, the primary component is
      the kernel firewall filter rule processor and its integrated
      packet accounting facility, the logging facility, the 'divert'
      rule which triggers the <acronym>NAT</acronym> facility, and the
@ -1820,7 +1822,7 @@ pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</pro
        particular rule is to be logged. Without this option, each
        repeated occurrences of the same packet will be logged, and
        eventually consuming all the free disk space resulting in
-        services being denied do to lack of resources. The 5 is the
+        services being denied do to lack of resources. The number <literal>5</literal> is the
        number of consecutive times to log evidence of this unique
        occurrence.</para>

@ -1932,7 +1934,7 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
        packets based on the values contained in the packet. The
        bi-directional exchange of packets between hosts comprises a
        session conversation. The firewall rule set processes the
-        packet 2 times, once on its arrival from the public Internet
+        packet twice: once on its arrival from the public Internet
        host and again as it leaves for its return trip back to the
        public Internet host. Each tcp/ip service (i.e. telnet, www,
        mail, etc.) is predefined by its protocol, and port number.
@ -2207,7 +2209,7 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
            the kernel, the number of consecutive messages concerning
            a particular rule is capped at the number specified. There
            is nothing to be gained from 200 log messages saying the
-            same identical thing. For instance, 5 consecutive messages
+            same identical thing. For instance, five consecutive messages
            concerning a particular rule would be logged to syslogd,
            the remainder identical consecutive messages would be
            counted and posted to the syslogd with a phrase like
@ -2334,7 +2336,7 @@ ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</p
            keep state stateful table.</para>

          <para>The Inbound section has all the blocking of undesirable
-            packets first for 2 different reasons. First is these things
+            packets first for two different reasons. First is these things
            being blocked may be part of an otherwise valid packet which
            may be allowed in by the later authorized service rules.
            Second reason is that by having a rule that explicitly