From 5efe9d31632ecb87723f8e105f6a53e521a5bd0a Mon Sep 17 00:00:00 2001
From: Denis Peplin <den@FreeBSD.org>
Date: Fri, 25 Feb 2005 11:39:12 +0000
Subject: [PATCH] Mark a few annoying things in addition to marked ones

---
 .../books/handbook/firewalls/chapter.sgml     | 30 +++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
index 6e3a3ce5ec..75c847d7e9 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml
@@ -155,6 +155,8 @@
       they go about it different ways and have different rule
       syntaxes.</para>
 
+    <!-- XXX: Is rc.firewall really outdated and complicated?
+	AND: should we modify/remove /etc/rc.firewall or rewrite this: -->
     <para>The IPFW sample rule set (found in
       <filename>/etc/rc.firewall</filename>) delivered in the basic
       install is outdated, complicated and does not use stateful rules
@@ -399,6 +401,9 @@ pflog_flags=""                  # additional flags for pflogd startup</programli
       stateful <quote>keep state</quote> option. This is the basic
       framework for coding an inclusive firewall rule set.</para>
 
+    <!-- XXX: something like this already in
+	 <xref linkend="firewalls-concepts">
+	 AND: the para below is repeated 3 times in this chapter-->
     <para>An inclusive firewall only allows packets matching the rules
       to pass through. This way you can control what services can
       originate behind the firewall destined for the public Internet
@@ -912,6 +917,15 @@ sh /etc/ipf.rules.script</programlisting>
 
      <sect2>
        <title>IPF Rule Sets</title>
+
+       <!-- XXX: looks incorrect (and duplicated 2 times in this chapter):
+	    1. Packet can be processed two times depend of firewall
+	       firewall configuration, but "return trip back" is
+	       another packet.
+	    2. "Each TCP/IP service ... is predefined by its protocol ..."
+	       - this shold be about packet and it's parameters
+	       (source/destination address and port).
+       -->
        <para>A rule set is a group of ipf rules coded to pass or block
          packets based on the values contained in the packet. The
          bi-directional exchange of packets between hosts comprises a
@@ -940,6 +954,9 @@ sh /etc/ipf.rules.script</programlisting>
          <quote>keep state</quote> option. This is the basic framework for coding an
          inclusive firewall rule set.</para>
 
+    <!-- XXX: something like this already in
+	 <xref linkend="firewalls-concepts">
+	 AND: the para below is repeated 3 times in this chapter-->
        <para>An inclusive firewall only allows services matching the
          rules through. This way you can control what services can
          originate behind the firewall destined for the public Internet
@@ -1201,6 +1218,7 @@ sh /etc/ipf.rules.script</programlisting>
 	  <secondary>stateful filtering</secondary>
 	</indexterm>
 
+	<!-- XXX: duplicated -->
         <para>Stateful filtering treats traffic as a bi-directional
           exchange of packets comprising a session conversation. When
           activated, keep-state dynamically generates internal rules for
@@ -2151,6 +2169,14 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
     <sect2 id="firewalls-ipfw-rules">
       <title>IPFW Rule Sets</title>
 
+       <!-- XXX: looks incorrect (and duplicated 2 times in this chapter):
+	    1. Packet can be processed two times depend of firewall
+	       firewall configuration, but "return trip back" is
+	       another packet.
+	    2. "Each TCP/IP service ... is predefined by its protocol ..."
+	       - this shold be about packet and it's parameters
+	       (source/destination address and port).
+       -->
       <para>A rule set is a group of ipfw rules coded to allow or deny
         packets based on the values contained in the packet. The
         bi-directional exchange of packets between hosts comprises a
@@ -2184,6 +2210,9 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
         and via options. This is the basic framework for coding an
         inclusive type firewall rule set.</para>
 
+    <!-- XXX: something like this already in
+	 <xref linkend="firewalls-concepts">
+	 AND: the para below is repeated 3 times in this chapter-->
       <para>An inclusive firewall only allows services matching the
         rules through. This way you can control what services can
         originate behind the firewall destine for the public Internet
@@ -2378,6 +2407,7 @@ options    IPV6FIREWALL_DEFAULT_TO_ACCEPT</programlisting>
 	  <secondary>stateful filtering</secondary>
 	</indexterm>
 
+	<!-- XXX: duplicated -->
         <para>Stateful filtering treats traffic as a bi-directional
           exchange of packets comprising a session conversation. It
           has the interrogation abilities to determine if the session