From 6f7189bc9ef573f7ceaec56ce7f2f612156552ba Mon Sep 17 00:00:00 2001
From: Dru Lavigne <dru@FreeBSD.org>
Date: Tue, 25 Feb 2014 17:59:16 +0000
Subject: [PATCH] Initial prep work for IPFW section so that it starts to match
 layout of other firewall sections. Many more commits to come.

Sponsored by: iXsystems
---
 .../books/handbook/firewalls/chapter.xml      | 83 ++++++++-----------
 1 file changed, 34 insertions(+), 49 deletions(-)

diff --git a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
index 51ce505ecc..ccd904b7da 100644
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@@ -1639,10 +1639,6 @@ block drop out quick on $ext_if from any to $martians</programlisting>
 
       <programlisting>net.inet.ip.fw.verbose=1
 net.inet.ip.fw.verbose_limit=5</programlisting>
-    </sect2>
-
-    <sect2 xml:id="firewalls-ipfw-kernel">
-      <title>Kernel Options</title>
 
       <indexterm>
 	<primary>kernel options</primary>
@@ -1720,12 +1716,8 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
 	  option or a rule to explicitly allow these connections is
 	  missing.</para>
       </note>
-    </sect2>
 
-    <sect2 xml:id="firewalls-ipfw-rc">
-      <title><filename>/etc/rc.conf</filename> Options</title>
-
-      <para>Enables the firewall:</para>
+      <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
 
       <programlisting>firewall_enable="YES"</programlisting>
 
@@ -1876,7 +1868,7 @@ ipfw add deny out</programlisting>
     </sect2>
 
     <sect2 xml:id="firewalls-ipfw-rules">
-      <title>IPFW Rulesets</title>
+      <title>IPFW Rule Syntax</title>
 
       <indexterm>
 	<primary>IPFW</primary>
@@ -1907,14 +1899,6 @@ ipfw add deny out</programlisting>
 	<literal>via</literal> options.  For a complete rule syntax
 	description, refer to &man.ipfw.8;.</para>
 
-      <warning>
-	<para>Be careful when working with firewall rules, as it is
-	  easy to lock out even the administrator.</para>
-      </warning>
-
-      <sect3 xml:id="firewalls-ipfw-rules-syntax">
-	<title>Rule Syntax</title>
-
 	<indexterm>
 	  <primary>IPFW</primary>
 
@@ -1930,25 +1914,28 @@ ipfw add deny out</programlisting>
 	<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
 	    STATEFUL</replaceable></para>
 
-	<sect4>
-	  <title>CMD</title>
-
+	<variablelist>
+	  <varlistentry>
+	  <term>CMD</term>
+	  <listitem>
 	  <para>Each new rule has to be prefixed with
 	    <parameter>add</parameter> to add the rule to the internal
 	    table.</para>
-	</sect4>
-
-	<sect4>
-	  <title>RULE_NUMBER</title>
+	</listitem>
+      </varlistentry>
 
+	<varlistentry>
+	  <term>RULE_NUMBER</term>
+	  <listitem>
 	  <para>Each rule is associated with a rule_number in the
 	    range of <literal>1</literal> to
 	    <literal>65535</literal>.</para>
-	</sect4>
-
-	<sect4>
-	  <title>ACTION</title>
+	</listitem>
+      </varlistentry>
 
+	<varlistentry>
+	  <term>ACTION</term>
+	  <listitem>
 	  <para>A rule can be associated with one of the following
 	    actions.  The specified action will be executed when the
 	    packet matches the selection criterion of the rule.</para>
@@ -1977,11 +1964,12 @@ ipfw add deny out</programlisting>
 	  <para>Both words mean the same thing, which is to discard
 	    packets that match this rule.  The search
 	    terminates.</para>
-	</sect4>
-
-	<sect4>
-	  <title>Logging</title>
+	</listitem>
+      </varlistentry>
 
+	<varlistentry>
+	  <term>Logging</term>
+	  <listitem>
 	  <para>When a packet matches a rule with the
 	    <literal>log</literal> keyword, a message will be logged
 	    to &man.syslogd.8; with a facility name of
@@ -2002,11 +1990,12 @@ ipfw add deny out</programlisting>
 	      final action on the packet.  The administrator decides
 	      which rules to enable logging on.</para>
 	  </note>
-	</sect4>
-
-	<sect4>
-	  <title>Selection</title>
+	</listitem>
+      </varlistentry>
 
+	<varlistentry>
+	  <term>Selection</term>
+	  <listitem>
 	  <para>The keywords described in this section are used to
 	    describe attributes of the packet to be checked when
 	    determining whether rules match the packet or not.
@@ -2087,18 +2076,12 @@ ipfw add deny out</programlisting>
 	    specified.  <literal>limit</literal> and
 	    <literal>keep-state</literal> can not be used on the same
 	    rule as they provide the same stateful function.</para>
-	</sect4>
-      </sect3>
-
-      <sect3>
-	<title>Stateful Rule Option</title>
-
-	<indexterm>
-	  <primary>IPFW</primary>
-
-	  <secondary>stateful filtering</secondary>
-	</indexterm>
+	</listitem>
+      </varlistentry>
 
+      <varlistentry>
+	<term>Stateful Rule Option</term>
+	<listitem>
 	<para>The <literal>check-state</literal> option is used to
 	  identify where in the IPFW ruleset the packet is to be
 	  tested against the dynamic rules facility.  On a match, the
@@ -2119,7 +2102,9 @@ ipfw add deny out</programlisting>
 	  combination occurred.  If this count is greater than the
 	  value specified by <literal>limit</literal>, the packet is
 	  discarded.</para>
-      </sect3>
+      </listitem>
+    </varlistentry>
+  </variablelist>
 
       <sect3>
 	<title>Logging Firewall Messages</title>