diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
index c2096b6597..8220cb7903 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -1659,7 +1659,7 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat&prompt.root; service ipfilter start
- To load the ruleset file, specify the name of the file using ipf.
+ To load the firewall rules, specify the name of the ruleset file using ipf.
The following command can
be used to replace the currently running firewall
rules:
@@ -1691,9 +1691,13 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnat
This section describes the IPF rule syntax
- used to create stateful rules where the first
- matching rule wins
. Refer to &man.ipf.8; for more details, including the legacy
- rule syntax.
+ used to create stateful rules. When creating rules, keep in
+ mind that the default way in which filter rules are applied
+ is for the last matching rule to be
+ used. Even if the first rule to match a packet is a
+ pass, if there is a later matching rule
+ that is a block, the packet will be dropped.
+ Refer to &man.ipf.5; for more details about rule syntax.
When creating rules, a # character is used to mark the
start of a comment and may appear at the end of a rule, to explain its function,
@@ -1718,38 +1722,51 @@ ipnat_rules="/etc/ipnat.rules" # rules definition file for ipnatACTION
The action keyword indicates what to do with the
- packet if it matches the rest of the filter rule. Each
+ packet if it matches that rule. Every
rule must have an action. The
following actions are recognized:
- block indicates that the packet
- should be dropped if the selection parameters match the
- packet.
+ block: drops the packet.
- pass indicates that the packet
- should exit the firewall if the selection parameters
- match the packet.
+ pass: allows the packet.
+
+ log: generates a log record.
+
+ count: counts the number of
+ packets and bytes which can provide an indication of
+ how often a rule is used.
+
+ auth: queues the packet for
+ further processing by another program.
+
+ call: provides access to
+ functions built into IPF that
+ allow more complex actions.
+
+ decapsulate: removes any headers
+ in order to process the contents of the packet.
IN-OUT
- A mandatory requirement is that each filter rule
- explicitly state which side of the I/O it is to be used
- on. The next keyword must be either
- in or out and one
- or the other has to be included or the rule will not
- pass syntax checks.
+ Next, each rule must
+ explicitly state the direction of traffic using one of
+ these keywords:
- in means this rule is being
- applied against an inbound packet which has just been
- received on the interface facing the public
- Internet.
+ in: the rule is
+ applied against an inbound packet.
- out means this rule is being
- applied against an outbound packet destined for the
- interface facing the public Internet.
+ out: the rule is
+ applied against an outbound packet.
+
+ all: the rule applies to either
+ direction.
+
+ If the system has multiple interfaces, the interface
+ can be specified along with the direction. An example would
+ be in on fxp0.