Attachment 50203 Details for Bug 76533 – file.diff

[patch] file.diff

file.diff (text/plain), 7.47 KB, created by Brad Davis on 2005-01-21 12:40:26 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Brad Davis

Created: 2005-01-21 12:40:26 UTC

Size: 7.47 KB

patch

obsolete

>--- doc-ori/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml       Wed Jan 19 07:01:03 2005
>+++ doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml   Fri Jan 21 05:24:47 2005
>@@ -336,8 +336,8 @@
>       method see: <ulink
>       url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
>       and <ulink
>-      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
>-      .</para>
>+      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.
>+      </para>
> 
>     <para>The IPF FAQ is at <ulink
>       url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
>@@ -350,8 +350,8 @@
>         ipfilter_enable="YES"</literal> is used. The loadable
>         module was created with logging enabled and the <literal>default
>         pass all</literal> options. You do not need to compile IPF into
>-        the &os; kernel just to change the default to <literal>block all
>-        </literal>, you can do that by just coding a block all rule at
>+        the &os; kernel just to change the default to <literal>block
>+        all</literal>, you can do that by just coding a block all rule at
>         the end of your rule set.</para>
>     </sect2>
> 
>@@ -521,8 +521,8 @@
>        <title>IPMON</title>
>        <para>In order for <command>ipmon</command> to work properly, the
>          kernel option IPFILTER_LOG must be turned on. This command has
>-         2 different modes that it can be used in. Native mode is the default
>-         mode when you type the command on the command line without the
>+         two different modes that it can be used in. Native mode is the
>+         default mode when you type the command on the command line without the
>          <option>-D</option> flag.</para>
> 
>        <para>Daemon mode is for when you want to have a continuous
>@@ -595,11 +595,12 @@
>        <para>To activate the changes to <filename>/etc/syslog.conf
>          </filename> you can reboot or bump the syslog task into
>          re-reading <filename>/etc/syslog.conf</filename> by running
>-         <command>/etc/rc.d/syslogd restart</command> (<command>
>-         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
>-         identifier) by listing the tasks with the <command>ps -ax</command>
>-         command. Find syslog in the display and the PID is the number
>-         in the left column).</para>
>+         <command>/etc/rc.d/syslogd restart</command>
>+         (<command>kill -HUP <replaceable>PID</replaceable></command>
>+         in &os; 4.x. You get the PID (i.e. process identifier) by
>+         listing the tasks with the <command>ps -ax</command> command.
>+         Find syslog in the display and the PID is the number in the
>+         left column).</para>
> 
>        <para>Do not forget to change <filename>/etc/newsyslog.conf
>          </filename> to rotate the new log you just created above.
>@@ -708,7 +709,7 @@
> <programlisting>############# Start of IPF rules script ########################
> 
> oif="dc0"            # name of the outbound interface
>-odns="192.0.2.11"    # ISP's dns server IP address
>+odns="192.0.2.11"    # ISP's DNS server IP address
> myip="192.0.2.7"     # my static IP address from ISP
> ks="keep state"
> fks="flags S keep state"
>@@ -809,7 +810,10 @@
>        <note>
>          <para>Warning, when working with the firewall rules, always,
>            always do it from the root console of the system running the
>-           firewall or you can end up locking your self out.</para>
>+           firewall or you can end up locking your self out. Or setup a
>+           cronjob to flush the Firewall rules say every 5 minutes.
>+           (This might not be acceptable for a corporate firewall, but
>+           should be for a home firewall.)</para>
>        </note>
>      </sect2>
> 
>@@ -820,7 +824,7 @@
>          rule wins</quote> logic. For the complete legacy rule syntax
>          description see the &man.ipf.8; manual page.</para>
> 
>-       <para><literal>#</literal> is used to mark the start of a comment and may appear at
>+       <para>A <literal>#</literal> is used to mark the start of a comment and may appear at
>          the end of a rule line or on its own line. Blank lines are
>          ignored.</para>
> 
>@@ -1444,7 +1448,7 @@
> 
>       <para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command>
>         command. Typically the <acronym>NAT</acronym> rules are stored
>-        in <filename>/etc/ipnat.rules </filename>. See &man.ipnat.1
>+        in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.1
>         for details.</para>
> 
>       <para>When changing the <acronym>NAT</acronym> rules after
>@@ -1535,7 +1539,7 @@
>       <title>Enabling IP<acronym>NAT</acronym></title>
> 
>       <para>To enable IP<acronym>NAT</acronym> add these statements to
>-        <filename>/etc/rc.conf</filename></para>
>+        <filename>/etc/rc.conf</filename>.</para>
> 
>       <para>To enable your machine to route traffic between
>         interfaces:</para>
>@@ -1561,12 +1565,14 @@
>         becomes a resource problem that may cause problems with the same
>         port numbers being used many times across many
>         <acronym>NAT</acronym>ed LAN PC's, causing collisions. There
>-        are 2 ways to relieve this resource problem.</para>
>+        are two ways to relieve this resource problem.</para>
> 
>       <sect3>
>         <title>Assigning Ports to Use</title>
>         
>-        <para>XXXBLAH</para>
>+        
>+        <para>A normal NAT rule would look like:</para>
> 
>         <programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>
> 
>@@ -1672,12 +1678,12 @@
> 
>         <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
> 
>-        <para>This rule handles the FTP traffic from the gateway.</para>
>+        <para>This rule handles the FTP traffic from the gateway:</para>
> 
>         <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
> 
>         <para>This rule handles all non-FTP traffic from the internal
>-          LAN.</para>
>+          LAN:</para>
> 
>A         <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
> 
>@@ -1701,7 +1707,7 @@
>           <acronym>NAT</acronym> FTP proxy is used.</para>
> 
>         <para>Without the FTP Proxy you will need the following three
>-          rules</para>
>+          rules:</para>
> 
>         <programlisting># Allow out LAN PC client FTP to public Internet
> # Active and passive modes
>@@ -1724,14 +1730,13 @@
>           logged coming in on port 21. The <acronym>NAT</acronym>
>           FTP/proxy appears to remove its temp rules prematurely,
>           before receiving the response from the remote FTP server
>-          acknowledging the close.  Posted problem report to ipf
>-          mailing list.</para>
>+          acknowledging the close. A problem report was posted to the
>+          IPF mailing list.</para>
> 
>-        <para>Solution is to add filter rule like this one to get rid
>+        <para>The solution is to add filter rule like this one to get rid
>           of these unwanted log messages or do nothing and ignore FTP
>-          inbound error messages in your log. Not like you do FTP
>-          session to the public Internet all the time, so this is not
>-          a big deal.</para>
>+          inbound error messages in your log. Most people don't do
>+          outbound FTP too often.</para>
> 
>         <programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting>
>       </sect3>

Actions: View | Diff

Attachments on bug 76533: 50203