Mark a few annoying things in addition to marked ones

svn path=/head/; revision=23897
2005-02-25 11:39:12 +00:00 · 2005-02-25 11:39:12 +00:00 · 5efe9d3163 · 2020-12-08 03:00:23 +00:00
commit 5efe9d3163
parent 052c259f53
1 changed files with 30 additions and 0 deletions
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
@ -155,6 +155,8 @@
      they go about it different ways and have different rule
      syntaxes.</para>

+    <!-- XXX: Is rc.firewall really outdated and complicated?
+	AND: should we modify/remove /etc/rc.firewall or rewrite this: -->
    <para>The IPFW sample rule set (found in
      <filename>/etc/rc.firewall</filename>) delivered in the basic
      install is outdated, complicated and does not use stateful rules
@ -399,6 +401,9 @@ pflog_flags=""                  # additional flags for pflogd startup</programli
      stateful <quote>keep state</quote> option. This is the basic
      framework for coding an inclusive firewall rule set.</para>

+    <!-- XXX: something like this already in
+	 <xref linkend="firewalls-concepts">
+	 AND: the para below is repeated 3 times in this chapter-->
    <para>An inclusive firewall only allows packets matching the rules
      to pass through. This way you can control what services can
      originate behind the firewall destined for the public Internet
@ -912,6 +917,15 @@ sh /etc/ipf.rules.script</programlisting>

     <sect2>
       <title>IPF Rule Sets</title>
+
+       <!-- XXX: looks incorrect (and duplicated 2 times in this chapter):
+	    1. Packet can be processed two times depend of firewall
+	       firewall configuration, but "return trip back" is
+	       another packet.
+	    2. "Each TCP/IP service ... is predefined by its protocol ..."
+	       - this shold be about packet and it's parameters
+	       (source/destination address and port).
+       -->
       <para>A rule set is a group of ipf rules coded to pass or block
         packets based on the values contained in the packet. The
         bi-directional exchange of packets between hosts comprises a
@ -940,6 +954,9 @@ sh /etc/ipf.rules.script</programlisting>
         <quote>keep state</quote> option. This is the basic framework for coding an
         inclusive firewall rule set.</para>

+    <!-- XXX: something like this already in
+	 <xref linkend="firewalls-concepts">
+	 AND: the para below is repeated 3 times in this chapter-->
       <para>An inclusive firewall only allows services matching the
         rules through. This way you can control what services can
         originate behind the firewall destined for the public Internet
@ -1201,6 +1218,7 @@ sh /etc/ipf.rules.script</programlisting>
 	  <secondary>stateful filtering</secondary>
 	</indexterm>

+	<!-- XXX: duplicated -->
        <para>Stateful filtering treats traffic as a bi-directional
          exchange of packets comprising a session conversation. When
          activated, keep-state dynamically generates internal rules for
@ -2151,6 +2169,14 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
    <sect2 id="firewalls-ipfw-rules">
      <title>IPFW Rule Sets</title>

+       <!-- XXX: looks incorrect (and duplicated 2 times in this chapter):
+	    1. Packet can be processed two times depend of firewall
+	       firewall configuration, but "return trip back" is
+	       another packet.
+	    2. "Each TCP/IP service ... is predefined by its protocol ..."
+	       - this shold be about packet and it's parameters
+	       (source/destination address and port).
+       -->
      <para>A rule set is a group of ipfw rules coded to allow or deny
        packets based on the values contained in the packet. The
        bi-directional exchange of packets between hosts comprises a
@ -2184,6 +2210,9 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
        and via options. This is the basic framework for coding an
        inclusive type firewall rule set.</para>

+    <!-- XXX: something like this already in
+	 <xref linkend="firewalls-concepts">
+	 AND: the para below is repeated 3 times in this chapter-->
      <para>An inclusive firewall only allows services matching the
        rules through. This way you can control what services can
        originate behind the firewall destine for the public Internet
@ -2378,6 +2407,7 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
 	  <secondary>stateful filtering</secondary>
 	</indexterm>

+	<!-- XXX: duplicated -->
        <para>Stateful filtering treats traffic as a bi-directional
          exchange of packets comprising a session conversation. It
          has the interrogation abilities to determine if the session