From owner-svn-doc-head@freebsd.org  Mon Jan  2 16:16:58 2017
Return-Path: <owner-svn-doc-head@freebsd.org>
Delivered-To: svn-doc-head@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id CE95DC9C7D3;
 Mon,  2 Jan 2017 16:16:58 +0000 (UTC)
 (envelope-from maxim.konovalov@gmail.com)
Received: from mp2.macomnet.net (mp2.macomnet.net [195.128.64.6])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 5C5711A97;
 Mon,  2 Jan 2017 16:16:55 +0000 (UTC)
 (envelope-from maxim.konovalov@gmail.com)
Received: from localhost (localhost [127.0.0.1])
 by mp2.macomnet.net (8.15.2/8.15.2) with ESMTP id v02G958C074412;
 Mon, 2 Jan 2017 19:09:05 +0300 (MSK)
 (envelope-from maxim.konovalov@gmail.com)
Date: Mon, 2 Jan 2017 19:09:05 +0300 (MSK)
From: Maxim Konovalov <maxim.konovalov@gmail.com>
To: Warren Block <wblock@FreeBSD.org>
cc: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
 svn-doc-head@freebsd.org
Subject: Re: svn commit: r49600 - head/en_US.ISO8859-1/books/handbook/firewalls
In-Reply-To: <201610281531.u9SFVL7u096914@repo.freebsd.org>
Message-ID: <alpine.BSF.2.20.1701021904430.83306@mp2.macomnet.net>
References: <201610281531.u9SFVL7u096914@repo.freebsd.org>
User-Agent: Alpine 2.20 (BSF 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
X-BeenThere: svn-doc-head@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: SVN commit messages for the doc tree for head
 <svn-doc-head.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-head/>
List-Post: <mailto:svn-doc-head@freebsd.org>
List-Help: <mailto:svn-doc-head-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2017 16:16:58 -0000

Hi Warren,

On Fri, 28 Oct 2016, 15:31-0000, Warren Block wrote:

[...]
>  # Allow outbound NTP
> -&dollar;cmd 00260 allow tcp from any to any 37 out via &dollar;pif setup keep-state
> +&dollar;cmd 00260 allow udp from any to any 123 out via &dollar;pif setup keep-state
>
>  # Allow outbound SSH
>  &dollar;cmd 00280 allow tcp from any to any 22 out via &dollar;pif setup keep-state
>
Are you sure about this change?  NTP is UDP based protocol.  In the
same time "setup" is TCP only feature (why ipfw(8) allows it to use in
conjunction with the UDP proto is a different story)

I think the comment is what should be fixed here.

-- 
Maxim Konovalov