Initial prep work for IPFW section so that it starts to match layout

of other firewall sections. Many more commits to come. Sponsored by: iXsystems
svn path=/head/; revision=44054
2014-02-25 17:59:16 +00:00 · 2014-02-25 17:59:16 +00:00 · 6f7189bc9e · 2020-12-08 03:00:23 +00:00
commit 6f7189bc9e
parent 12caad51ae
1 changed files with 34 additions and 49 deletions
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@ -1639,10 +1639,6 @@ block drop out quick on $ext_if from any to $martians</programlisting>

      <programlisting>net.inet.ip.fw.verbose=1
 net.inet.ip.fw.verbose_limit=5</programlisting>
-    </sect2>
-
-    <sect2 xml:id="firewalls-ipfw-kernel">
-      <title>Kernel Options</title>

      <indexterm>
 	<primary>kernel options</primary>
@ -1720,12 +1716,8 @@ net.inet.ip.fw.verbose_limit=5</programlisting>
 	  option or a rule to explicitly allow these connections is
 	  missing.</para>
      </note>
-    </sect2>

-    <sect2 xml:id="firewalls-ipfw-rc">
-      <title><filename>/etc/rc.conf</filename> Options</title>
-
-      <para>Enables the firewall:</para>
+      <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>

      <programlisting>firewall_enable="YES"</programlisting>

@ -1876,7 +1868,7 @@ ipfw add deny out</programlisting>
    </sect2>

    <sect2 xml:id="firewalls-ipfw-rules">
-      <title>IPFW Rulesets</title>
+      <title>IPFW Rule Syntax</title>

      <indexterm>
 	<primary>IPFW</primary>
@ -1907,14 +1899,6 @@ ipfw add deny out</programlisting>
 	<literal>via</literal> options.  For a complete rule syntax
 	description, refer to &man.ipfw.8;.</para>

-      <warning>
-	<para>Be careful when working with firewall rules, as it is
-	  easy to lock out even the administrator.</para>
-      </warning>
-
-      <sect3 xml:id="firewalls-ipfw-rules-syntax">
-	<title>Rule Syntax</title>
-
 	<indexterm>
 	  <primary>IPFW</primary>

@ -1930,25 +1914,28 @@ ipfw add deny out</programlisting>
 	<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
 	    STATEFUL</replaceable></para>

-	<sect4>
-	  <title>CMD</title>
-
+	<variablelist>
+	  <varlistentry>
+	  <term>CMD</term>
+	  <listitem>
 	  <para>Each new rule has to be prefixed with
 	    <parameter>add</parameter> to add the rule to the internal
 	    table.</para>
-	</sect4>
-
-	<sect4>
-	  <title>RULE_NUMBER</title>
+	</listitem>
+      </varlistentry>

+	<varlistentry>
+	  <term>RULE_NUMBER</term>
+	  <listitem>
 	  <para>Each rule is associated with a rule_number in the
 	    range of <literal>1</literal> to
 	    <literal>65535</literal>.</para>
-	</sect4>
-
-	<sect4>
-	  <title>ACTION</title>
+	</listitem>
+      </varlistentry>

+	<varlistentry>
+	  <term>ACTION</term>
+	  <listitem>
 	  <para>A rule can be associated with one of the following
 	    actions.  The specified action will be executed when the
 	    packet matches the selection criterion of the rule.</para>
@ -1977,11 +1964,12 @@ ipfw add deny out</programlisting>
 	  <para>Both words mean the same thing, which is to discard
 	    packets that match this rule.  The search
 	    terminates.</para>
-	</sect4>
-
-	<sect4>
-	  <title>Logging</title>
+	</listitem>
+      </varlistentry>

+	<varlistentry>
+	  <term>Logging</term>
+	  <listitem>
 	  <para>When a packet matches a rule with the
 	    <literal>log</literal> keyword, a message will be logged
 	    to &man.syslogd.8; with a facility name of
@ -2002,11 +1990,12 @@ ipfw add deny out</programlisting>
 	      final action on the packet.  The administrator decides
 	      which rules to enable logging on.</para>
 	  </note>
-	</sect4>
-
-	<sect4>
-	  <title>Selection</title>
+	</listitem>
+      </varlistentry>

+	<varlistentry>
+	  <term>Selection</term>
+	  <listitem>
 	  <para>The keywords described in this section are used to
 	    describe attributes of the packet to be checked when
 	    determining whether rules match the packet or not.
@ -2087,18 +2076,12 @@ ipfw add deny out</programlisting>
 	    specified.  <literal>limit</literal> and
 	    <literal>keep-state</literal> can not be used on the same
 	    rule as they provide the same stateful function.</para>
-	</sect4>
-      </sect3>
-
-      <sect3>
-	<title>Stateful Rule Option</title>
-
-	<indexterm>
-	  <primary>IPFW</primary>
-
-	  <secondary>stateful filtering</secondary>
-	</indexterm>
+	</listitem>
+      </varlistentry>

+      <varlistentry>
+	<term>Stateful Rule Option</term>
+	<listitem>
 	<para>The <literal>check-state</literal> option is used to
 	  identify where in the IPFW ruleset the packet is to be
 	  tested against the dynamic rules facility.  On a match, the
@ -2119,7 +2102,9 @@ ipfw add deny out</programlisting>
 	  combination occurred.  If this count is greater than the
 	  value specified by <literal>limit</literal>, the packet is
 	  discarded.</para>
-      </sect3>
+      </listitem>
+    </varlistentry>
+  </variablelist>

      <sect3>
 	<title>Logging Firewall Messages</title>