Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jan 2005 05:32:18 -0700 (MST)
From:      Brad Davis <so14k@so14k.com>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   docs/76533: Misc punctuation fixes for the FW chapter.
Message-ID:  <20050121123218.88022E7B@mccaffrey.house.so14k.com>
Resent-Message-ID: <200501211240.j0LCeR6j010294@freefall.freebsd.org>

next in thread | raw e-mail | index | archive | help

>Number:         76533
>Category:       docs
>Synopsis:       Misc punctuation fixes for the FW chapter.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-doc
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 21 12:40:26 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Brad Davis
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD mccaffrey.house.so14k.com 4.10-STABLE FreeBSD 4.10-STABLE #0: Fri May 28 08:02:41 MDT 2004 root@mccaffrey.house.so14k.com:/usr/obj/usr/src/sys/MCCAFFREY i386
>Description:
	1. Remove a space before a period.
	2. Remove a space before a comma.
	3. s/2/two/
	4. Fix spacing around a parentheses.
	5. s/dns/DNS/
	6. Add note about using a cronjob to flush the rules every so often to prevent locking oneself out.
	7. Add missing beginning.
	8. Remove another space before a period.
	9. Add a missing period
	10. s/2/two/
	11. Ack! Remove the XXXBLAH I left and replace it with something useful.
	12. s/\./:/
	13. Add a missing :
	14. Fix wording.
>How-To-Repeat:
>Fix:
--- doc-ori/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml       Wed Jan 19 07:01:03 2005
+++ doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml   Fri Jan 21 05:24:47 2005
@@ -336,8 +336,8 @@
       method see: <ulink
       url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>;
       and <ulink
-      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>;
-      .</para>
+      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.
+      </para>
 
     <para>The IPF FAQ is at <ulink
       url="http://www.phildev.net/ipf/index.html"></ulink>.</para>;
@@ -350,8 +350,8 @@
         ipfilter_enable="YES"</literal> is used. The loadable
         module was created with logging enabled and the <literal>default
         pass all</literal> options. You do not need to compile IPF into
-        the &os; kernel just to change the default to <literal>block all
-        </literal>, you can do that by just coding a block all rule at
+        the &os; kernel just to change the default to <literal>block
+        all</literal>, you can do that by just coding a block all rule at
         the end of your rule set.</para>
     </sect2>
 
@@ -521,8 +521,8 @@
        <title>IPMON</title>
        <para>In order for <command>ipmon</command> to work properly, the
          kernel option IPFILTER_LOG must be turned on. This command has
-         2 different modes that it can be used in. Native mode is the default
-         mode when you type the command on the command line without the
+         two different modes that it can be used in. Native mode is the
+         default mode when you type the command on the command line without the
          <option>-D</option> flag.</para>
 
        <para>Daemon mode is for when you want to have a continuous
@@ -595,11 +595,12 @@
        <para>To activate the changes to <filename>/etc/syslog.conf
          </filename> you can reboot or bump the syslog task into
          re-reading <filename>/etc/syslog.conf</filename> by running
-         <command>/etc/rc.d/syslogd restart</command> (<command>
-         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
-         identifier) by listing the tasks with the <command>ps -ax</command>
-         command. Find syslog in the display and the PID is the number
-         in the left column).</para>
+         <command>/etc/rc.d/syslogd restart</command>
+         (<command>kill -HUP <replaceable>PID</replaceable></command>
+         in &os; 4.x. You get the PID (i.e. process identifier) by
+         listing the tasks with the <command>ps -ax</command> command.
+         Find syslog in the display and the PID is the number in the
+         left column).</para>
 
        <para>Do not forget to change <filename>/etc/newsyslog.conf
          </filename> to rotate the new log you just created above.
@@ -708,7 +709,7 @@
 <programlisting>############# Start of IPF rules script ########################
 
 oif="dc0"            # name of the outbound interface
-odns="192.0.2.11"    # ISP's dns server IP address
+odns="192.0.2.11"    # ISP's DNS server IP address
 myip="192.0.2.7"     # my static IP address from ISP
 ks="keep state"
 fks="flags S keep state"
@@ -809,7 +810,10 @@
        <note>
          <para>Warning, when working with the firewall rules, always,
            always do it from the root console of the system running the
-           firewall or you can end up locking your self out.</para>
+           firewall or you can end up locking your self out. Or setup a
+           cronjob to flush the Firewall rules say every 5 minutes.
+           (This might not be acceptable for a corporate firewall, but
+           should be for a home firewall.)</para>
        </note>
      </sect2>
 
@@ -820,7 +824,7 @@
          rule wins</quote> logic. For the complete legacy rule syntax
          description see the &man.ipf.8; manual page.</para>
 
-       <para><literal>#</literal> is used to mark the start of a comment and may appear at
+       <para>A <literal>#</literal> is used to mark the start of a comment and may appear at
          the end of a rule line or on its own line. Blank lines are
          ignored.</para>
 
@@ -1444,7 +1448,7 @@
 
       <para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command>
         command. Typically the <acronym>NAT</acronym> rules are stored
-        in <filename>/etc/ipnat.rules </filename>. See &man.ipnat.1
+        in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.1
         for details.</para>
 
       <para>When changing the <acronym>NAT</acronym> rules after
@@ -1535,7 +1539,7 @@
       <title>Enabling IP<acronym>NAT</acronym></title>
 
       <para>To enable IP<acronym>NAT</acronym> add these statements to
-        <filename>/etc/rc.conf</filename></para>
+        <filename>/etc/rc.conf</filename>.</para>
 
       <para>To enable your machine to route traffic between
         interfaces:</para>
@@ -1561,12 +1565,14 @@
         becomes a resource problem that may cause problems with the same
         port numbers being used many times across many
         <acronym>NAT</acronym>ed LAN PC's, causing collisions. There
-        are 2 ways to relieve this resource problem.</para>
+        are two ways to relieve this resource problem.</para>
 
       <sect3>
         <title>Assigning Ports to Use</title>
         <!-- What does it mean ? Is there something missing ?-->
-        <para>XXXBLAH</para>
+        <!-- XXXBLAH <- Apparently you can't start a sect
+             with a <programlisting> tag ?-->
+        <para>A normal NAT rule would look like:</para>
 
         <programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>
 
@@ -1672,12 +1678,12 @@
 
         <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
-        <para>This rule handles the FTP traffic from the gateway.</para>
+        <para>This rule handles the FTP traffic from the gateway:</para>
 
         <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
         <para>This rule handles all non-FTP traffic from the internal
-          LAN.</para>
+          LAN:</para>
 
A         <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
 
@@ -1701,7 +1707,7 @@
           <acronym>NAT</acronym> FTP proxy is used.</para>
 
         <para>Without the FTP Proxy you will need the following three
-          rules</para>
+          rules:</para>
 
         <programlisting># Allow out LAN PC client FTP to public Internet
 # Active and passive modes
@@ -1724,14 +1730,13 @@
           logged coming in on port 21. The <acronym>NAT</acronym>
           FTP/proxy appears to remove its temp rules prematurely,
           before receiving the response from the remote FTP server
-          acknowledging the close.  Posted problem report to ipf
-          mailing list.</para>
+          acknowledging the close. A problem report was posted to the
+          IPF mailing list.</para>
 
-        <para>Solution is to add filter rule like this one to get rid
+        <para>The solution is to add filter rule like this one to get rid
           of these unwanted log messages or do nothing and ignore FTP
-          inbound error messages in your log. Not like you do FTP
-          session to the public Internet all the time, so this is not
-          a big deal.</para>
+          inbound error messages in your log. Most people don't do
+          outbound FTP too often.</para>
 
         <programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting>
       </sect3>

>Release-Note:
>Audit-Trail:
>Unformatted:



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050121123218.88022E7B>