White space fix only. Translators can ignore.

Sponsored by: iXsystems
svn path=/head/; revision=44025
2014-02-22 03:13:44 +00:00 · 2014-02-22 03:13:44 +00:00 · 984d8c3dbb · 2020-12-08 03:00:23 +00:00
commit 984d8c3dbb
parent be4fc36d5e
1 changed files with 228 additions and 218 deletions
--- a/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
@ -156,28 +156,27 @@
      <secondary>rulesets</secondary>
    </indexterm>
-    <para>A ruleset contains a group of rules which pass or
+    <para>A ruleset contains a group of rules which pass or block
-	block packets based on the values contained in the packet.
+      packets based on the values contained in the packet.  The
-	The bi-directional exchange of packets between hosts comprises
+      bi-directional exchange of packets between hosts comprises a
-	a session conversation.  The firewall ruleset processes both
+      session conversation.  The firewall ruleset processes both the
-	the packets arriving from the public Internet, as well as the
+      packets arriving from the public Internet, as well as the
-	packets produced by the system as a response to them.  Each
+      packets produced by the system as a response to them.  Each
-	<acronym>TCP/IP</acronym> service is predefined by its
+      <acronym>TCP/IP</acronym> service is predefined by its protocol
-	protocol and listening port.  Packets destined for a specific
+      and listening port.  Packets destined for a specific service
-	service originate from the source address using an
+      originate from the source address using an unprivileged port and
-	unprivileged port and target the specific service port on the
+      target the specific service port on the destination address.
-	destination address.  All the above parameters can be used as
+      All the above parameters can be used as selection criteria to
-	selection criteria to create rules which will pass or block
+      create rules which will pass or block services.</para>
 	services.</para>
-      <para>To lookup unknown port numbers, refer to
+    <para>To lookup unknown port numbers, refer to
-	<filename>/etc/services</filename>.  Alternatively, visit <uri
+      <filename>/etc/services</filename>.  Alternatively, visit <uri
-	  xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
+	xlink:href="http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers">http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers</uri>
-	and do a port number lookup to find the purpose of a
+      and do a port number lookup to find the purpose of a particular
-	particular port number.</para>
+      port number.</para>
-      <para>Check out this link for port numbers used by Trojans <uri
+    <para>Check out this link for port numbers used by Trojans <uri
-	  xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
+	xlink:href="http://www.sans.org/security-resources/idfaq/oddports.php">http://www.sans.org/security-resources/idfaq/oddports.php</uri>.</para>
    <para>A firewall ruleset can be either
      <quote>exclusive</quote> or <quote>inclusive</quote>.  An
@ -207,35 +206,34 @@
      connections and only allows traffic which either matches an
      existing connection or opens a new, allowed connection.</para>
-      <para>Stateful filtering treats traffic as a bi-directional
+    <para>Stateful filtering treats traffic as a bi-directional
-	exchange of packets comprising a session.  When state is specified on a matching rule
+      exchange of packets comprising a session.  When state is
-	the firewall dynamically generates
+      specified on a matching rule the firewall dynamically generates
-	internal rules for each anticipated packet being exchanged
+      internal rules for each anticipated packet being exchanged
-	during the session.  It has sufficient matching capabilities
+      during the session.  It has sufficient matching capabilities to
-	to determine if a packet is valid for a session.  Any packets
+      determine if a packet is valid for a session.  Any packets that
-	that do not properly fit the session template are
+      do not properly fit the session template are automatically
-	automatically rejected.</para>
+      rejected.</para>
-      <para>When the session completes, it is removed from the
+    <para>When the session completes, it is removed from the dynamic
-	dynamic state table.</para>
+      state table.</para>
-      <para>Stateful filtering allows one to focus on blocking/passing
+    <para>Stateful filtering allows one to focus on blocking/passing
-	new sessions.  If the new session is passed, all its
+      new sessions.  If the new session is passed, all its subsequent
-	subsequent packets are allowed automatically and any impostor
+      packets are allowed automatically and any impostor packets are
-	packets are automatically rejected.  If a new session is
+      automatically rejected.  If a new session is blocked, none of
-	blocked, none of its subsequent packets are allowed.  Stateful
+      its subsequent packets are allowed.  Stateful filtering provides
-	filtering provides advanced matching abilities capable of
+      advanced matching abilities capable of defending against the
-	defending against the flood of different attack methods
+      flood of different attack methods employed by attackers.</para>
 	employed by attackers.</para>
-      <warning>
+    <warning>
-	<para>When working with the firewall rules, be <emphasis>very
+      <para>When working with the firewall rules, be <emphasis>very
-	    careful</emphasis>.  Some configurations <emphasis>can
+	  careful</emphasis>.  Some configurations <emphasis>can
 	  lock the administrator out</emphasis> of the server.  To be
-	  on the safe side, consider performing the initial firewall
+	on the safe side, consider performing the initial firewall
-	  configuration from the local console rather than doing it
+	configuration from the local console rather than doing it
-	  remotely over <application>ssh</application>.</para>
+	remotely over <application>ssh</application>.</para>
-      </warning>
+    </warning>
  </sect1>
  <sect1 xml:id="firewalls-pf">
@ -1685,23 +1683,22 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
      <programlisting>&prompt.root; <userinput>service ipfilter start</userinput></programlisting>
-      <para>To load the firewall rules, specify the name of the ruleset file using <command>ipf</command>.
+      <para>To load the firewall rules, specify the name of the
-	The following command can
+	ruleset file using <command>ipf</command>.  The following
-	be used to replace the currently running firewall
+	command can be used to replace the currently running firewall
 	rules:</para>
      <screen>&prompt.root; <userinput>ipf -Fa -f /etc/ipf.rules</userinput></screen>
      <para>where <option>-Fa</option> flushes all the internal rules
-	tables and <option>-f</option> specifies the file containing the
+	tables and <option>-f</option> specifies the file containing
-	rules to load.</para>
+	the rules to load.</para>
      <para>This provides the ability to make changes to a custom
-	ruleset and update the
+	ruleset and update the running firewall with a fresh copy of
-	running firewall with a fresh copy of the rules without having
+	the rules without having to reboot the system.  This method is
-	to reboot the system.  This method is convenient for testing
+	convenient for testing new rules as the procedure can be
-	new rules as the procedure can be executed as many times as
+	executed as many times as needed.</para>
 	needed.</para>
      <para>Refer to &man.ipf.8; for details on the other flags
 	available with this command.</para>
@ -1716,37 +1713,40 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	<secondary>rule syntax</secondary>
      </indexterm>
-      <para>This section describes the <application>IPF</application> rule syntax
+      <para>This section describes the <application>IPF</application>
-	used to create stateful rules.  When creating rules, keep in
+	rule syntax used to create stateful rules.  When creating
-	mind that unless the <literal>quick</literal> keyword appears
+	rules, keep in mind that unless the <literal>quick</literal>
-	in a rule, every rule is read
+	keyword appears in a rule, every rule is read in order, with
-	in order, with the <emphasis>last  matching rule</emphasis>
+	the <emphasis>last  matching rule</emphasis> being the one
-	being the one that is applied. This means that even if the first rule to match a packet is a
+	that is applied.  This means that even if the first rule to
-	<literal>pass</literal>, if there is a later matching rule
+	match a packet is a <literal>pass</literal>, if there is a
-	that is a <literal>block</literal>, the packet will be dropped.
+	later matching rule that is a <literal>block</literal>, the
-	Sample rulesets can be found in
+	packet will be dropped.  Sample rulesets can be found in
-	<filename class="directory">/usr/share/examples/ipfilter</filename>.</para>
+	<filename
 	  class="directory">/usr/share/examples/ipfilter</filename>.</para>
-      <para>When creating rules, a <literal>#</literal> character is used to mark the
+      <para>When creating rules, a <literal>#</literal> character is
-	start of a comment and may appear at the end of a rule, to explain that rule's function,
+	used to mark the start of a comment and may appear at the end
-	or on its own line.  Any blank lines are ignored.</para>
+	of a rule, to explain that rule's function, or on its own
 	line.  Any blank lines are ignored.</para>
-      <para>The keywords which are used in rules must be written in a specific
+      <para>The keywords which are used in rules must be written in a
-	order, from left to right.  Some keywords are mandatory while
+	specific order, from left to right.  Some keywords are
-	others are optional.  Some keywords have sub-options which may be
+	mandatory while others are optional.  Some keywords have
-	keywords themselves and also include more sub-options.  The
+	sub-options which may be keywords themselves and also include
-	keyword order is as follows, where the words shown in uppercase
+	more sub-options.  The keyword order is as follows, where the
-	represent a variable and the words shown in lowercase must
+	words shown in uppercase represent a variable and the words
-	precede the variable that follows it:</para>
+	shown in lowercase must precede the variable that follows
 	it:</para>
      <para><replaceable>ACTION DIRECTION OPTIONS proto PROTO_TYPE
-	  from SRC_ADDR SRC_PORT to DST_ADDR DST_PORT TCP_FLAG|ICMP_TYPE
+	  from SRC_ADDR SRC_PORT to DST_ADDR DST_PORT
-	  keep state STATE</replaceable></para>
+	  TCP_FLAG|ICMP_TYPE keep state STATE</replaceable></para>
-      <para>This section describes each of these keywords and their options.  It
+      <para>This section describes each of these keywords and their
-	is not an exhaustive list of every possible option.  Refer to
+	options.  It is not an exhaustive list of every possible
-	&man.ipf.5; for a complete description of the rule
+	option.  Refer to &man.ipf.5; for a complete description of
-	syntax that can be used when creating
+	the rule syntax that can be used when creating
 	<application>IPF</application> rules and examples for using
 	each keyword.</para>
@ -1755,15 +1755,16 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	  <term>ACTION</term>
 	  <listitem>
 	    <para>The action keyword indicates what to do with the
-	      packet if it matches that rule.  Every
+	      packet if it matches that rule.  Every rule
-	      rule <emphasis>must</emphasis> have an action.  The
+	      <emphasis>must</emphasis> have an action.  The
 	      following actions are recognized:</para>
 	    <para><literal>block</literal>: drops the packet.</para>
 	    <para><literal>pass</literal>: allows the packet.</para>
-	    <para><literal>log</literal>: generates a log record.</para>
+	    <para><literal>log</literal>: generates a log
 	      record.</para>
 	    <para><literal>count</literal>: counts the number of
 	      packets and bytes which can provide an indication of
@ -1777,62 +1778,60 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	      allow more complex actions.</para>
 	    <para><literal>decapsulate</literal>: removes any headers
-              in order to process the contents of the packet.</para>
+	      in order to process the contents of the packet.</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>DIRECTION</term>
 	  <listitem>
-	    <para>Next, each rule must
+	    <para>Next, each rule must explicitly state the direction
-	      explicitly state the direction of traffic using one of
+	      of traffic using one of these keywords:</para>
 	      these keywords:</para>
-	    <para><literal>in</literal>: the rule is
+	    <para><literal>in</literal>: the rule is applied against
-	      applied against an inbound packet.</para>
+	      an inbound packet.</para>
-	    <para><literal>out</literal>: the rule is
+	    <para><literal>out</literal>: the rule is applied against
-	      applied against an outbound packet.</para>
+	      an outbound packet.</para>
 	    <para><literal>all</literal>: the rule applies to either
 	      direction.</para>
 	    <para>If the system has multiple interfaces, the interface
-	      can be specified along with the direction.  An example would
+	      can be specified along with the direction.  An example
-	      be <literal>in on fxp0</literal>.</para>
+	      would be <literal>in on fxp0</literal>.</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>OPTIONS</term>
 	  <listitem>
-	      <para>Options are optional. However, if multiple options
+	    <para>Options are optional.  However, if multiple options
-		are specified, they must be used in the order shown
+	      are specified, they must be used in the order shown
-		here.</para>
+	      here.</para>
 	    <para><literal>log</literal>: when performing the
-	      specified ACTION, the contents of the packet's
+	      specified ACTION, the contents of the packet's headers
-	      headers will be written to the &man.ipl.4; packet log
+	      will be written to the &man.ipl.4; packet log
 	      pseudo-device.</para>
-	    <para><literal>quick</literal>: if
+	    <para><literal>quick</literal>: if a packet matches this
-	      a packet matches this rule, the ACTION specified by the
+	      rule, the ACTION specified by the rule occurs and no
-	      rule occurs and no further processing of any
+	      further processing of any following rules will occur for
-	      following rules will occur for this packet.</para>
+	      this packet.</para>
-	    <para><literal>on</literal>: must be followed by the interface name
+	    <para><literal>on</literal>: must be followed by the
-	      as displayed by &man.ifconfig.8;.
+	      interface name as displayed by &man.ifconfig.8;.  The
-	      The rule will only match if the
+	      rule will only match if the packet is going through the
-	      packet is going through the specified interface in the specified
+	      specified interface in the specified direction.</para>
 	      direction.</para>
 	    <para>When using the
 	      <literal>log</literal> keyword, the following qualifiers
 	      may be used in this order:</para>
-	    <para><literal>body</literal>: indicates that the first 128
+	    <para><literal>body</literal>: indicates that the first
-	      bytes of the packet contents will be logged after the
+	      128 bytes of the packet contents will be logged after
-	      headers.</para>
+	      the headers.</para>
 	    <para><literal>first</literal>:  if the
 	      <literal>log</literal> keyword is being used in
@ -1841,8 +1840,9 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	      packet is logged and not every packet which matches the
 	      stateful connection.</para>
-	    <para>Additional options are available to specify
+	    <para>Additional options are available to specify error
-	      error return messages.  Refer to  &man.ipf.5; for more details.</para>
+	      return messages.  Refer to  &man.ipf.5; for more
 	      details.</para>
 	  </listitem>
 	</varlistentry>
@ -1858,10 +1858,10 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	      protocol number or name from
 	      <filename>/etc/protocols</filename>.
 	      Example protocol names include <literal>tcp</literal>,
-	      <literal>udp</literal>, or
+	      <literal>udp</literal>, or <literal>icmp</literal>.  If
-	      <literal>icmp</literal>.  If PROTO_TYPE is specified but
+	      PROTO_TYPE is specified but no SRC_PORT or DST_PORT is
-	      no SRC_PORT or DST_PORT is specified, all port numbers
+	      specified, all port numbers for that protocol will match
-	      for that protocol will match that rule.</para>
+	      that rule.</para>
 	  </listitem>
 	</varlistentry>
@ -1876,11 +1876,13 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	      keyword <literal>all</literal>.  Refer to &man.ipf.5;
 	      for examples.</para>
-	      <para>There is no way to match ranges of <acronym>IP</acronym> addresses
+	    <para>There is no way to match ranges of
-	      which do not express themselves easily using the dotted
+	      <acronym>IP</acronym> addresses which do not express
-	      numeric form / mask-length notation.  The
+	      themselves easily using the dotted numeric form /
-	      <package>net-mgmt/ipcalc</package> package or port may be used to
+	      mask-length notation.  The
-	      ease the calculation of the <acronym>CIDR</acronym> mask.  Additional information is
+	      <package>net-mgmt/ipcalc</package> package or port may
 	      be used to ease the calculation of the
 	      <acronym>CIDR</acronym> mask.  Additional information is
 	      available at the utility's web page: <uri
 		xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
 	  </listitem>
@ -1890,24 +1892,24 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	  <term>SRC_PORT</term>
 	  <listitem>
 	    <para>The port number of the source is optional.  However,
-	      if it is used, it requires PROTO_TYPE to be first defined in
+	      if it is used, it requires PROTO_TYPE to be first
-	      the rule.  The port number must also be preceded by the
+	      defined in the rule.  The port number must also be
-	      <literal>proto</literal> keyword.</para>
+	      preceded by the <literal>proto</literal> keyword.</para>
-	    <para>A number of different comparison operators are supported:
+	    <para>A number of different comparison operators are
-	      <literal>=</literal> (equal to),
+	      supported: <literal>=</literal> (equal to),
 	      <literal>!=</literal> (not equal to),
 	      <literal>&lt;</literal> (less than),
 	      <literal>&gt;</literal> (greater than),
 	      <literal>&lt;=</literal> (less than or equal to), and
-	      <literal>&gt;=</literal> (greater than or equal to).
+	      <literal>&gt;=</literal> (greater than or equal
-	    </para>
+	      to).</para>
 	    <para>To specify port ranges, place the two port numbers
-	      between <literal>&lt;&gt;</literal> (less than and greater than ),
+	      between <literal>&lt;&gt;</literal> (less than and
-	      <literal>&gt;&lt;</literal> (greater than and less than ), or
+	      greater than ), <literal>&gt;&lt;</literal> (greater
-	      <literal>:</literal> (greater than or equal to and
+	      than and less than ), or <literal>:</literal> (greater
-              less than or equal to).</para>
+	      than or equal to and less than or equal to).</para>
 	  </listitem>
 	</varlistentry>
@ -1915,20 +1917,21 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	  <term>DST_ADDR</term>
 	  <listitem>
 	    <para>The <literal>to</literal> keyword is mandatory and
-	      is followed by a keyword which represents the destination of
+	      is followed by a keyword which represents the
-	      the packet.  Similar to SRC_ADDR, it can be a hostname, an 
+	      destination of the packet.  Similar to SRC_ADDR, it can
-	      <acronym>IP</acronym> address followed by the
+	      be a hostname, an  <acronym>IP</acronym> address
-	      <acronym>CIDR</acronym> mask, an address pool, or the
+	      followed by the <acronym>CIDR</acronym> mask, an address
-	      keyword <literal>all</literal>.</para>
+	      pool, or the keyword <literal>all</literal>.</para>
 	  </listitem>
 	</varlistentry>
 	<varlistentry>
 	  <term>DST_PORT</term>
 	  <listitem>
-	    <para>Similar to SRC_PORT, the port number of the destination is optional.  However,
+	    <para>Similar to SRC_PORT, the port number of the
-	      if it is used, it requires PROTO_TYPE to be first defined in
+	      destination is optional.  However, if it is used, it
-	      the rule.  The port number must also be preceded by the
+	      requires PROTO_TYPE to be first defined in the rule.
 	      The port number must also be preceded by the
 	      <literal>proto</literal> keyword.</para>
 	  </listitem>
 	</varlistentry>
@ -1936,11 +1939,12 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	<varlistentry>
 	  <term>TCP_FLAG|ICMP_TYPE</term>
 	  <listitem>
-	    <para>If <literal>tcp</literal> is specifed as the PROTO_TYPE, flags
+	    <para>If <literal>tcp</literal> is specifed as the
-	      can be specified as letters, where each letter represents one of the possible
+	      PROTO_TYPE, flags can be specified as letters, where
-	      <acronym>TCP</acronym> flags used to determine
+	      each letter represents one of the possible
-	      the state of a connection.  Possible values
+	      <acronym>TCP</acronym> flags used to determine the state
-	      are: <literal>S</literal> (SYN),
+	      of a connection.  Possible values are:
 	      <literal>S</literal> (SYN),
 	      <literal>A</literal> (ACK),
 	      <literal>P</literal> (PSH),
 	      <literal>F</literal> (FIN),
@ -1949,9 +1953,10 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	      <literal>C</literal> (CWN), and
 	      <literal>E</literal> (ECN).</para>
-	    <para>If <literal>icmp</literal> is specifed as the PROTO_TYPE,
+	    <para>If <literal>icmp</literal> is specifed as the
-	      the <acronym>ICMP</acronym> type to match can be
+	      PROTO_TYPE, the <acronym>ICMP</acronym> type to match
-	      specified.  Refer to &man.ipf.5; for the allowable types.</para>
+	      can be specified.  Refer to &man.ipf.5; for the
 	      allowable types.</para>
 	  </listitem>
 	</varlistentry>
@ -1959,39 +1964,42 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	  <term>STATE</term>
 	  <listitem>
 	    <para>If a <literal>pass</literal> rule contains
-	    <literal>keep state</literal>,
+	      <literal>keep state</literal>,
-	    <application>IPF</application> will add an entry to its
+	      <application>IPF</application> will add an entry to its
-	    dynamic state table and allow subsequent packets that
+	      dynamic state table and allow subsequent packets that
-	    match the connection.
+	      match the connection.
-	    <application>IPF</application> can track state for
+	      <application>IPF</application> can track state for
-	<acronym>TCP</acronym>, <acronym>UDP</acronym>, and
+	      <acronym>TCP</acronym>, <acronym>UDP</acronym>, and
-	<acronym>ICMP</acronym> sessions.  Any packet that <application>IPF</application> can be certain
+	      <acronym>ICMP</acronym> sessions.  Any packet that
-	is part of an active session, even if it is a different
+	      <application>IPF</application> can be certain is part of
-	protocol, will be allowed.</para>
+	      an active session, even if it is a different protocol,
 	      will be allowed.</para>
-      <para>In <application>IPF</application>, packets destined to go out through the interface connected
+	    <para>In <application>IPF</application>, packets destined
-	to the public Internet are first checked against the dynamic
+	      to go out through the interface connected to the public
-	state table.  If the packet matches the next expected packet
+	      Internet are first checked against the dynamic state
-	comprising an active session conversation, it exits the
+	      table.  If the packet matches the next expected packet
-	firewall and the state of the session conversation flow is
+	      comprising an active session conversation, it exits the
-	updated in the dynamic state table.  Packets that do not
+	      firewall and the state of the session conversation flow
-	belong to an already active session are checked against the
+	      is updated in the dynamic state table.  Packets that do
-	outbound ruleset.  Packets coming in from the interface connected to the
+	      not belong to an already active session are checked
-	public Internet are first checked against the dynamic state
+	      against the outbound ruleset.  Packets coming in from
-	table.  If the packet matches the next expected packet
+	      the interface connected to the public Internet are first
-	comprising an active session, it exits the firewall and the
+	      checked against the dynamic state table.  If the packet
-	state of the session conversation flow is updated in the
+	      matches the next expected packet comprising an active
-	dynamic state table.  Packets that do not belong to an already
+	      session, it exits the firewall and the state of the
-	active session are checked against the inbound
+	      session conversation flow is updated in the dynamic
-	ruleset.</para>
+	      state table.  Packets that do not belong to an already
 	      active session are checked against the inbound
 	      ruleset.</para>
-	<para>Several keywords can be added after
+	    <para>Several keywords can be added after
-	  <literal>keep state</literal>.  If used, these keywords set
+	      <literal>keep state</literal>.  If used, these keywords
-	  various options that control stateful filtering, such as
+	      set various options that control stateful filtering,
-	  setting connection limits or connection age.  Refer to
+	      such as setting connection limits or connection age.
-	  &man.ipf.5; for the list of available options and their
+	      Refer to &man.ipf.5; for the list of available options
-	  descriptions.</para>
+	      and their descriptions.</para>
-	</listitem>
+	  </listitem>
 	</varlistentry>
      </variablelist>
    </sect2>
@ -2003,47 +2011,51 @@ ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlist
 	which only allows services matching
 	<literal>pass</literal> rules and blocks all others.</para>
-      <para>&os; uses the loopback interface (<filename>lo0</filename>) and the <acronym>IP</acronym>
+      <para>&os; uses the loopback interface
 	(<filename>lo0</filename>) and the <acronym>IP</acronym>
 	address <systemitem class="ipaddress">127.0.0.1</systemitem>
-	for internal communication.  The
+	for internal communication.  The firewall ruleset must contain
-	firewall ruleset must contain rules to allow free movement of
+	rules to allow free movement of these internally used
-	these internally used packets:</para>
+	packets:</para>
      <programlisting># no restrictions on loopback interface
 pass in quick on lo0 all
 pass out quick on lo0 all</programlisting>
      <para>The public interface connected to the Internet is used to
-	authorize and control access of
+	authorize and control access of all outbound and inbound
-	all outbound and inbound connections.  If one or more interfaces are cabled to private
+	connections.  If one or more interfaces are cabled to private
 	networks, those internal interfaces may require rules to allow
-	packets originating from the <acronym>LAN</acronym> to flow between the internal networks
+	packets originating from the <acronym>LAN</acronym> to flow
-	or to the interface attached to the Internet.  The ruleset should be organized into three major
+	between the internal networks or to the interface attached to
-	sections: any trusted internal interfaces, outbound connections through the public
+	the Internet.  The ruleset should be organized into three
-	interface, and inbound connections through the public interface.</para>
+	major sections: any trusted internal interfaces, outbound
 	connections through the public interface, and inbound
 	connections through the public interface.</para>
-      <para>These two rules allow all traffic to pass through a trusted
+      <para>These two rules allow all traffic to pass through a
-	<acronym>LAN</acronym> interface named <filename>xl0</filename>:</para>
+	trusted <acronym>LAN</acronym> interface named
 	<filename>xl0</filename>:</para>
      <programlisting># no restrictions on inside LAN interface for private network
 pass out quick on xl0 all
 pass in quick on xl0 all</programlisting>
-      <para>The rules for the public interface's outbound and inbound sections should
+      <para>The rules for the public interface's outbound and inbound
-	have the most frequently matched rules placed before less
+	sections should have the most frequently matched rules placed
-	commonly matched rules, with the last rule in the section
+	before less commonly matched rules, with the last rule in the
-	blocking and logging all packets for that interface and
+	section blocking and logging all packets for that interface
-	direction.</para>
+	and direction.</para>
      <para>This set of rules defines the outbound section of the
-	public interface named <filename>dc0</filename>.
+	public interface named <filename>dc0</filename>.  These rules
-	These rules keep state and identify
+	keep state and identify the specific services that internal
-	the specific services that internal systems are authorized for public Internet access.
+	systems are authorized for public Internet access.  All the
-	All the rules use <literal>quick</literal> and specify the
+	rules use <literal>quick</literal> and specify the
 	appropriate port numbers and, where applicable, destination
 	addresses.</para>
- <programlisting># interface facing Internet (outbound)
+      <programlisting># interface facing Internet (outbound)
 # Matches session start requests originating from or behind the
 # firewall, destined for the Internet.
@ -2084,9 +2096,9 @@ pass out quick on dc0 proto icmp from any to any icmp-type 8 keep state
 block out log first quick on dc0 all</programlisting>
      <para>This example of the rules in the inbound section of the
-	public interface blocks all undesirable packets first.
+	public interface blocks all undesirable packets first.  This
-	This reduces the number of packets that are
+	reduces the number of packets that are logged by the last
-	logged by the last rule.</para>
+	rule.</para>
      <programlisting># interface facing Internet (inbound)
 # Block all inbound traffic from non-routable or reserved address spaces
@ -2126,18 +2138,16 @@ block in log first quick on dc0 proto tcp/udp from any to any port = 81</program
      <para>Any time there are logged messages on a rule with
 	the <literal>log first</literal> option, run
-	<command>ipfstat -hio</command>
+	<command>ipfstat -hio</command> to evaluate how many times the
-	to evaluate how many times the rule has been matched.  A
+	rule has been matched.  A large number of matches may indicate
-	large number of matches may indicate that the system is
+	that the system is under attack.</para>
 	under attack.</para>
      <para>The rest of the rules in the inbound section define which
 	connections are allowed to be initiated from the Internet.
 	The last rule denies all connections which were not explicitly
 	allowed by previous rules in this section.</para>
-      <programlisting>
+      <programlisting># Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
 # Allow traffic in from ISP's DHCP server. Replace z.z.z.z with
 # the same IP address used in the outbound section.
 pass in quick on dc0 proto udp from z.z.z.z to any port = 68 keep state