White space fix only. Translators can ignore.

Sponsored by: iXsystems
svn path=/head/; revision=44601
2014-04-17 20:33:55 +00:00 · 2014-04-17 20:33:55 +00:00 · 9f6c3b13b1 · 2020-12-08 03:00:23 +00:00
commit 9f6c3b13b1
parent 2595184f26
1 changed files with 120 additions and 120 deletions
--- a/en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml
@ -51,8 +51,8 @@
      </listitem>
      <listitem>
-	<para>How to configure <application>TCP Wrapper</application> for use
+	<para>How to configure <application>TCP Wrapper</application>
-	  with &man.inetd.8;.</para>
+	  for use with &man.inetd.8;.</para>
      </listitem>
      <listitem>
@ -877,21 +877,20 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
    <indexterm><primary>TCP Wrapper</primary></indexterm>
    <para><application>TCP Wrapper</application> is a host-based
-      access control system which extends the abilities of
+      access control system which extends the abilities of <xref
-      <xref linkend="network-inetd"/>.  It can be configured
+	linkend="network-inetd"/>.  It can be configured to provide
-      to provide logging support, return messages, and
+      logging support, return messages, and connection restrictions
-      connection restrictions for the
+      for the server daemons under the control of
      server daemons under the control of
      <application>inetd</application>.  Refer to &man.tcpd.8; for
      more information about
      <application>TCP Wrapper</application> and its features.</para>
-    <para><application>TCP Wrapper</application> should not be considered a
+    <para><application>TCP Wrapper</application> should not be
-      replacement for a properly configured firewall.
+      considered a replacement for a properly configured firewall.
-      Instead, <application>TCP Wrapper</application> should be used in conjunction
+      Instead, <application>TCP Wrapper</application> should be used
-      with a firewall and other security enhancements in order to
+      in conjunction with a firewall and other security enhancements
-      provide another layer of protection in the implementation of a
+      in order to provide another layer of protection in the
-      security policy.</para>
+      implementation of a security policy.</para>
    <sect2>
      <title>Initial Configuration</title>
@ -903,33 +902,35 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
      <programlisting>inetd_enable="YES"
 inetd_flags="-Ww"</programlisting>
-	<para>Then, properly configure
+      <para>Then, properly configure
 	<filename>/etc/hosts.allow</filename>.</para>
      <note>
 	<para>Unlike other implementations of
-	  <application>TCP Wrapper</application>, the use of <filename>hosts.deny</filename> is
+	  <application>TCP Wrapper</application>, the use of
-	  deprecated in &os;.  All configuration options should be placed
+	  <filename>hosts.deny</filename> is deprecated in &os;.  All
-	  in <filename>/etc/hosts.allow</filename>.</para>
+	  configuration options should be placed in
 	  <filename>/etc/hosts.allow</filename>.</para>
      </note>
      <para>In the simplest configuration, daemon connection policies
-	are set to either permit or block, depending on the
+	are set to either permit or block, depending on the options in
-	options in <filename>/etc/hosts.allow</filename>.  The default
+	<filename>/etc/hosts.allow</filename>.  The default
-	configuration in &os; is to allow all connections to the daemons
+	configuration in &os; is to allow all connections to the
-	started with <application>inetd</application>.</para>
+	daemons started with <application>inetd</application>.</para>
      <para>Basic configuration usually takes the form of
 	<literal>daemon : address : action</literal>, where
-	<literal>daemon</literal> is the daemon which <application>inetd</application>
+	<literal>daemon</literal> is the daemon which
-	started, <literal>address</literal> is a valid hostname,
+	<application>inetd</application> started,
 	<literal>address</literal> is a valid hostname,
 	<acronym>IP</acronym> address, or an IPv6 address enclosed in
 	brackets ([&nbsp;]), and <literal>action</literal> is either
 	<literal>allow</literal> or <literal>deny</literal>.
 	<application>TCP Wrapper</application> uses a first rule match
-	semantic, meaning that the configuration file is scanned
+	semantic, meaning that the configuration file is scanned from
-	from the beginning for a matching rule.  When a match is found,
+	the beginning for a matching rule.  When a match is found, the
-	the rule is applied and the search process stops.</para>
+	rule is applied and the search process stops.</para>
      <para>For example, to allow <acronym>POP</acronym>3 connections
 	via the <package>mail/qpopper</package> daemon, the following
@ -942,102 +943,100 @@ qpopper : ALL : allow</programlisting>
      <para>Whenever this file is edited, restart
 	<application>inetd</application>:</para>
-	<screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
+      <screen>&prompt.root; <userinput>service inetd restart</userinput></screen>
    </sect2>
    <sect2>
      <title>Advanced Configuration</title>
-      <para><application>TCP Wrapper</application> provides advanced options
+      <para><application>TCP Wrapper</application> provides advanced
-	to allow more control over the way connections are handled.
+	options to allow more control over the way connections are
-	In some cases, it may be appropriate to return a comment to
+	handled.  In some cases, it may be appropriate to return a
-	certain hosts or daemon connections.  In other cases, a log
+	comment to certain hosts or daemon connections.  In other
-	entry should be recorded or an email sent to the
+	cases, a log entry should be recorded or an email sent to the
 	administrator.  Other situations may require the use of a
 	service for local connections only.  This is all possible
-	through the use of configuration options known as
+	through the use of configuration options known as wildcards,
-	wildcards, expansion characters, and
+	expansion characters, and external command execution.</para>
 	external command execution.</para>
-	<para>Suppose that a situation occurs where a connection
+      <para>Suppose that a situation occurs where a connection should
-	  should be denied yet a reason should be sent to the
+	be denied yet a reason should be sent to the host who
-	  host who attempted to establish that connection.  That
+	attempted to establish that connection.  That action is
-	  action is possible with <option>twist</option>.  When a
+	possible with <option>twist</option>.  When a connection
-	  connection attempt is made, <option>twist</option> executes
+	attempt is made, <option>twist</option> executes a shell
-	  a shell command or script.  An example exists in
+	command or script.  An example exists in
-	  <filename>hosts.allow</filename>:</para>
+	<filename>hosts.allow</filename>:</para>
-	<programlisting># The rest of the daemons are protected.
+      <programlisting># The rest of the daemons are protected.
 ALL : ALL \
 	: severity auth.info \
 	: twist /bin/echo "You are not welcome to use %d from %h."</programlisting>
-	<para>In this example, the message <quote>You are not allowed
+      <para>In this example, the message <quote>You are not allowed to
-	    to use <replaceable>daemon name</replaceable> from
+	use <replaceable>daemon name</replaceable> from
-	    <replaceable>hostname</replaceable>.</quote> will be returned for
+	<replaceable>hostname</replaceable>.</quote> will be returned
-	  any daemon not configured in <filename>hosts.allow</filename>.
+	for any daemon not configured in
-	  This is useful for sending a reply back to the connection
+	<filename>hosts.allow</filename>.  This is useful for sending
-	  initiator right after the established connection is dropped.
+	a reply back to the connection initiator right after the
-	  Any message returned <emphasis>must</emphasis> be wrapped in
+	established connection is dropped.  Any message returned
-	  quote (<literal>"</literal>) characters.</para>
+	<emphasis>must</emphasis> be wrapped in quote
 	(<literal>"</literal>) characters.</para>
-	<warning>
+      <warning>
-	  <para>It may be possible to launch a denial of service
+	<para>It may be possible to launch a denial of service attack
-	    attack on the server if an attacker
+	  on the server if an attacker floods these daemons with
-	    floods these daemons with connection
+	  connection requests.</para>
-	    requests.</para>
+      </warning>
 	</warning>
-	<para>Another possibility is to use <option>spawn</option>.
+      <para>Another possibility is to use <option>spawn</option>.
-	  Like <option>twist</option>, <option>spawn</option>
+	Like <option>twist</option>, <option>spawn</option> implicitly
-	  implicitly denies the connection and may be used to run
+	denies the connection and may be used to run external shell
-	  external shell commands or scripts.  Unlike
+	commands or scripts.  Unlike <option>twist</option>,
-	  <option>twist</option>, <option>spawn</option> will not send
+	<option>spawn</option> will not send a reply back to the host
-	  a reply back to the host who established the
+	who established the connection.  For example, consider the
-	  connection.  For example, consider the following
+	following configuration:</para>
 	  configuration:</para>
-	<programlisting># We do not allow connections from example.com:
+      <programlisting># We do not allow connections from example.com:
 ALL : .example.com \
 	: spawn (/bin/echo %a from %h attempted to access %d &gt;&gt; \
 	  /var/log/connections.log) \
 	: deny</programlisting>
-	<para>This will deny all connection attempts from <systemitem
+      <para>This will deny all connection attempts from <systemitem
-	    class="fqdomainname">*.example.com</systemitem> and log
+	  class="fqdomainname">*.example.com</systemitem> and log the
-	  the hostname, <acronym>IP</acronym> address, and the daemon
+	hostname, <acronym>IP</acronym> address, and the daemon to
-	  to which access was attempted to
+	which access was attempted to
-	  <filename>/var/log/connections.log</filename>.  This example
+	<filename>/var/log/connections.log</filename>.  This example
-	  uses the substitution characters
+	uses the substitution characters <literal>%a</literal> and
-	  <literal>%a</literal> and <literal>%h</literal>.  Refer to
+	<literal>%h</literal>.  Refer to &man.hosts.access.5; for the
-	  &man.hosts.access.5; for the complete list.</para>
+	complete list.</para>
-	<para>To match every instance of a daemon, domain, or
+      <para>To match every instance of a daemon, domain, or
-	  <acronym>IP</acronym> address, use <literal>ALL</literal>.  Another wildcard is
+	<acronym>IP</acronym> address, use <literal>ALL</literal>.
-	  <literal>PARANOID</literal> which may be used to match
+	Another wildcard is <literal>PARANOID</literal> which may be
-	  any host which provides an <acronym>IP</acronym> address
+	used to match any host which provides an <acronym>IP</acronym>
-	  that may be forged because the
+	address that may be forged because the <acronym>IP</acronym>
-	  <acronym>IP</acronym> address differs from its resolved
+	address differs from its resolved hostname.  In this example,
-	  hostname.  In this example, all connection requests to
+	all connection requests to <application>Sendmail</application>
-	  <application>Sendmail</application> which have an <acronym>IP</acronym> address
+	which have an <acronym>IP</acronym> address that varies from
-	  that varies from its hostname will be denied:</para>
+	its hostname will be denied:</para>
-	<programlisting># Block possibly spoofed requests to sendmail:
+      <programlisting># Block possibly spoofed requests to sendmail:
 sendmail : PARANOID : deny</programlisting>
-	<caution>
+      <caution>
-	  <para>Using the <literal>PARANOID</literal> wildcard will
+	<para>Using the <literal>PARANOID</literal> wildcard will
-	    result in denied connections if the client or server has a
+	  result in denied connections if the client or server has a
-	    broken <acronym>DNS</acronym> setup.</para>
+	  broken <acronym>DNS</acronym> setup.</para>
-	</caution>
+      </caution>
-	<para>To learn more about wildcards and their associated
+      <para>To learn more about wildcards and their associated
-	  functionality, refer to &man.hosts.access.5;.</para>
+	functionality, refer to &man.hosts.access.5;.</para>
      <note>
 	<para>When adding new configuration lines, make sure that any
-	  unneeded entries for that daemon are commented
+	  unneeded entries for that daemon are commented out in
-	  out in <filename>hosts.allow</filename>.</para>
+	  <filename>hosts.allow</filename>.</para>
      </note>
    </sect2>
  </sect1>
@ -1772,15 +1771,16 @@ kadmind5_server_enable="YES"</programlisting>
    <para><application>OpenSSL</application> is an open source
      implementation of the <acronym>SSL</acronym> and
-      <acronym>TLS</acronym> protocols.
+      <acronym>TLS</acronym> protocols.  It provides an encryption
-      It provides an encryption transport layer on top of the normal
+      transport layer on top of the normal communications layer,
-      communications layer, allowing it to be intertwined with many
+      allowing it to be intertwined with many network applications and
-      network applications and services.</para>
+      services.</para>
    <para>The version of <application>OpenSSL</application> included
-      in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and
+      in &os; supports the Secure Sockets Layer v2/v3 (SSLv2/SSLv3)
-      Transport Layer Security v1 (TLSv1) network security protocols
+      and Transport Layer Security v1 (TLSv1) network security
-      and can be used as a general cryptographic library.</para>
+      protocols and can be used as a general cryptographic
      library.</para>
 <!--
 This patent expired in 2012, is the note still needed?
    <note>
@ -1793,32 +1793,32 @@ This patent expired in 2012, is the note still needed?
    </note>
    -->
-    <para><application>OpenSSL</application> is often used to
+    <para><application>OpenSSL</application> is often used to encrypt
-      encrypt authentication of mail clients and to secure web based
+      authentication of mail clients and to secure web based
      transactions such as credit card payments.  Some ports, such as
      <package>www/apache24</package> and
-      <package>databases/postgresql91-server</package>, include a compile option for
+      <package>databases/postgresql91-server</package>, include a
-      building with <application>OpenSSL</application>.  If selected,
+      compile option for building with
-      the port will add support using the
+      <application>OpenSSL</application>.  If selected, the port will
-      <package>security/openssl</package> port.  To instead have the
+      add support using the <package>security/openssl</package> port.
-      port compile against the built in version of
+      To instead have the port compile against the built in version of
      <application>OpenSSL</application>, include
-	<varname>WITH_OPENSSL_BASE</varname> when compiling
+      <varname>WITH_OPENSSL_BASE</varname> when compiling in
-	in <application>OpenSSL</application> support.</para>
+      <application>OpenSSL</application> support.</para>
-    <para>Another common use of
+    <para>Another common use of <application>OpenSSL</application> is
-      <application>OpenSSL</application> is to provide certificates
+      to provide certificates for use with software applications.
-      for use with software applications.  Certificates can be used to verify
+      Certificates can be used to verify the credentials of a company
-      the credentials of a company or individual.
+      or individual.  If a certificate has not been signed by an
-      If a certificate has not
+      external <firstterm>Certificate Authority</firstterm>
      been signed by an external <firstterm>Certificate Authority</firstterm>
      (<acronym>CA</acronym>), such as <link
 	xlink:href="http://www.verisign.com">http://www.verisign.com</link>,
-      the application that uses the certificate will produce a warning.
+      the application that uses the certificate will produce a
-      There is a cost associated with obtaining a signed certificate and using a
+      warning.  There is a cost associated with obtaining a signed
-      signed certificate is not mandatory as certificates can be
+      certificate and using a signed certificate is not mandatory as
-      self-signed.  However, using an external authority will prevent warnings and can put
+      certificates can be self-signed.  However, using an external
-      users at ease.</para>
+      authority will prevent warnings and can put users at
      ease.</para>
    <para>This section demonstrates how to create and use certificates
      on a &os; system.  Refer to <xref linkend="ldap-config"/> for an