Bug 167056
| Summary: | ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5 | ||
|---|---|---|---|
| Product: | Documentation | Reporter: | Joe barbish <fbsd8> |
| Component: | Books & Articles | Assignee: | freebsd-doc (Nobody) <doc> |
| Status: | Closed FIXED | ||
| Severity: | Affects Only Me | ||
| Priority: | Normal | ||
| Version: | Latest | ||
| Hardware: | Any | ||
| OS: | Any | ||
|
Description
Joe barbish
2012-04-18 13:40:02 UTC
On Apr 18, 2012, at 2:37 PM, Joe Barbish wrote: >> Description: > ERROR Handbook 9.0, firewall section, PF firewall from OpenBSD 4.5 > = http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.htm= l Is that an error? ;-) > I am the original author [Joe Barbish] of the whole security firewall = section.=20 >=20 > Previous versions of the FreeBSD handbook had a detailed section on PF = including rule examples matching the version of PF included with FreeBSD = 9.0. But it was revised and updated by John Ferrell. What he did was to = remove a very large section containing example rules. It=82s obvious = this person was un-supervised and has no knowledge of PF or what the = real problem was. I think you should refrain from making these kind of assumptions. I = Remember more of these things from you in the past, you just shouldn't do this, people will not take you seriously. Or better said: I wont take = you serious if you talk like this. The changes were reviewed and = committed by a FreeBSD Committer, which means he had spend his time looking into = this and obviously not removing vital things that need to stay. The commit you seem to refer to is this one: = http://www.freebsd.org/cgi/cvsweb.cgi/doc/en_US.ISO8859-1/books/handbook/f= irewalls/chapter.sgml.diff?r1=3D1.82;r2=3D1.83 There are no removal of large sections containg example rules in that = commit. So I think you must have been mistaken about the actual removal. Please demonstrate what commit you mean. > This is what the problem was. > PF firewall is sourced from another project outside of Freebsd. PF is = sourced from OpenBSD source. OpenBSD much like FreeBSD has its own = firewall called PF. The version of PF matches the version of OpenBSD it = comes from.=20 They are the same PF, they are not different in that regard. FreeBSD had = ported it over so that it runs on our systems yes, but it's not = different. > The PF version running on Freebsd 9.0 matches the version included in = Openbsd 4.5.=20 could be. > The documentation on the Openbsd website for PF is for Openbsd 5.0 and = it has warning saying "NOTE: NAT configuration was significantly = different in earlier versions." This information is for OpenBSD 4.7.=20 Does that matter if we are at 4.5 as you mention? The handbook gives a = few guidelines on how you can do things, but if you want to seriously = use things, you need to get yourself the clue needed anyway. Unless you think that the handbook = should be a complete walkthrough for everyone that thinks he or she can = configure things without actually understanding the problem? I think that is not a good idea, the = world needs serious people that can interpret an example and continue = from that with their investigations and information. > http://pf4freebsd.love2party.net/ has more info about how backdated = the 9.0 Freebsd production version of PF is.=20 I do not think this information is actually relevant. > The center of the problem is the FreeBSD handbook Security section of = PF had links to the PF firewall documentation of the OpenBSD handbook. = At OpenBSD version 4.7 their PF firewall had a major rewrite changing = the rule syntax for how NAT rules are coded and how their FTP proxy = rules were to be coded. The current OpenBSD version is 5.0 with 5.1 = going to be released soon. The OpenBSD handbook PF NAT section got = updated at version 4.7 with PF contents describing their new NAT rule = syntax, so the links in the FreeBSD handbook for PF firewall no longer = matched the out dated [4.5] version included in FreeBSD 9.0.=20 I think the links are there for demonstration purposes, you might = suggest to remove them if the information is hurting our users. > John Ferrell=82s solution to this was to delete all the verbiage and = links to the OpenBSD PF section of the OpenBSD handbook including the = sample rule set that was in the FreeBSD handbook PF section. This was a = major error in judgment on his part. Dont do things like this. > All that was needed was an additional statement in the FreeBSD = handbook security/PF section saying =84FreeBSD 9.0 is running a outdated = version of PF [4.5], at PF version [4.7] the syntax of the NAT and = ftp-proxy rule changed. The reader should keep in mind the below links = reference the OpenBSD 5.0 version of PF, but the sample PF rules shown = below do match the version of PF [4.5] included with FreeBSD 9.0. Then = add a comment to the NAT rule in the sample rules saying this is the = syntax for NAT usage in versions earlier than version 4.7 and then have = the new NAT rule with comment for version 4.7 and newer. Them when = FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or = 5.1 the links in the FreeBSD handbook would automatically become = meaningful.=20 It's not an outdated version, it's the version we use. That the source = had continued development and made changes doesn't make it outdated on = our end. There are active maintainers, Ermal for example is doing work on pf and there are efforts on going to a newer version. > I suggest the online FreeBSD handbook, have the security/PF section = restored to its previous condition and the above changes made to it=82s = content and that this is done before Freebsd 8.3 is released. That wont happen. You are too late for that. I'd suggest that you create an unified diff containing the information = you suggest to include, then someone can review it and commit it if = needed. if not, then it wont change. In addition: please consider discussing this on the doc@ mailinglist so = that you can actually get a consensus on how to proceed with this, = instead of just blindly filing a PR and attacking people with your fogged judgement. Thank you^2. --=20 /"\ With kind regards, | remko@elvandar.org \ / Remko Lodder | remko@FreeBSD.org X FreeBSD | = http://www.evilcoder.org / \ The Power to Serve | Quis custodiet ipsos custodes State Changed From-To: open->suspended Awaiting consensus and/or patches. State Changed From-To: suspended->closed After discussing with another developer, we have agreed that this would be much better discussed on a mailing list. Please try to keep personal attacks to a minimum and stick to technical details. ----- Forwarded message from "Peter N. M. Hansteen" <peter@bsdly.net> ----- Date: Wed, 18 Apr 2012 20:56:34 +0200 From: "Peter N. M. Hansteen" <peter@bsdly.net> To: remko@FreeBSD.org Cc: freebsd-doc@FreeBSD.org, fbsd8@a1poweruser.com Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5 remko@FreeBSD.org writes: > Awaiting consensus and/or patches. I won't guarantee that http://bsdly.net/~peter/freebsd/fw.diff still applies cleanly (dated 15 November 2006), but it's there to be taken and processed by anybody who feels the urge for more PF content in that chapter of the FreeBSD Handbook. The text is all mine, taken from the online tutorial at http://home.nuug.no/~peter/pf/ (also referenced in the diff), which has both pre-4.7 and post-4.7 syntax where the two differ and is, as always, BSD licensed. It may also be worth mentioning that The Book of PF, 2nd edition has both pre- and post-4.7 material. That book did not yet exist when I made the patch, but a reference to it might be appropriate to mention it in the PF section of the handbook as possible resource, say by way of a reference to the book's home page (http://nostarch.com/pf2.htm) or somesuch. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds. ----- End forwarded message ----- ----- Forwarded message from John Ferrell <jdferrell3@gmail.com> ----- Date: Fri, 20 Apr 2012 23:09:40 -0400 From: John Ferrell <jdferrell3@gmail.com> To: freebsd-doc@freebsd.org Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5 I am the John Ferrell that Joe is refering to. As Remko noted, the patch I submitted did not remove any rules--there were no example rules in the document at the time. The patch was commited in May 2008. I suspect that when the rules were removed from the handbook it was because the sample rules included with FreeBSD (/usr/share/examples/pf) and the man pages cover many different scenarios. > All that was needed was an additional statement in the FreeBSD = > handbook security/PF section saying =84FreeBSD 9.0 is running a outdated = > version of PF [4.5], at PF version [4.7] the syntax of the NAT and = > ftp-proxy rule changed. The reader should keep in mind the below links = > reference the OpenBSD 5.0 version of PF, but the sample PF rules shown = > below do match the version of PF [4.5] included with FreeBSD 9.0. Then = > add a comment to the NAT rule in the sample rules saying this is the = > syntax for NAT usage in versions earlier than version 4.7 and then have = > the new NAT rule with comment for version 4.7 and newer. Them when = > FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or = > 5.1 the links in the FreeBSD handbook would automatically become = > meaningful.=20 I agree, it should be made more clear that OpenBSD's PF syntax differs from that of FreeBSD's. If no one is working on this I'll be glad to submit a patch. John ----- End forwarded message ----- |
