New firewall section (was: Re: HEADS UP: doc/ slush begins)
Giorgos Keramidas
keramida at freebsd.org
Mon Sep 20 16:13:00 UTC 2004
On 2004-09-20 17:16, Giorgos Keramidas <keramida at ceid.upatras.gr> wrote:
> On 2004-09-20 15:07, Ceri Davies <ceri at submonkey.net> wrote:
> > If you're available now, and would like to work at this, please do.
>
> I'm at work, so there's an upper limit of the time I can spend on
> `other' tasks, but I'll try to send you a review until later tonight :)
I think this needs a fair bit of work, but if I find the time to sit down and
reorganize, copy, paste, merge and test all of the changes I have in mind,
I'll reply again later tonight. Right now, all I have is a comparative TOC
for the two sections (before and after the patch submitted by Brad).
OLD LAYOUT | NEW LAYOUT
========================================|======================================
|
+ Introduction | + Introduction
|
+ What Is a Firewall? | + Firewall Rule Set Types
- Packet Filtering Routers |
- Proxy Servers | + Firewall Software Applications
|
+ What does IPFW allow me to do? | + OpenBSD's PF Firewall
|
+ Enabling IPFW on FreeBSD | + The IPFILTER (IPF) Firewall
| - Enabling IPF
+ Configuring IPFW | - Kernel Options
- Altering the IPFW Rules | - Available rc.conf Options
- Listing the IPFW Rules | - IPF
- Flushing the IPFW Rules | - IPFSTAT
- Clearing the IPFW Packet Counters | - IPMON
| - IPMON Logging
+ Example Commands for IPFW | - The Format of Logged Messages
| - Building the Rule Script
+ Building a Packet Filtering Firewall | - IPF Rule Sets
| - IPF Rule Syntax
+ IPFW Overhead and Optimization | . ACTION
| . IN-OUT
| . OPTIONS
| . SELECTION
| . PROTO
| . SRC_ADDR/DST_ADDR
| . PORT
| . TCP_FLAG
| . STATEFUL
| - Stateful Filtering
| - Inclusive Rule set Example
| - NAT
| - IPNAT
| - IPNAT Rules
| - How NAT Works
| - Enabling IPNAT
| - NAT for a Very Large LAN
| . Assigning Ports to Use
| . Using a pool of public
| addresses
| - Port Redirection
| - FTP and NAT
| . IPNAT Rules
| . IPNAT FTP Filter Rules
| . FTP NAT Proxy Bug
|
| + IPFW
| - Enabling IPFW
| - Kernel Options
| - /etc/rc.conf Options
| - The IPFW Command
| - IPFW Rule Sets
| . Rule Syntax
| . CMD
| . RULE#
| . ACTION
| . Logging
| . Selection
| . Stateful Rule Option
| . Logging Firewall Messages
| . Building Rule Script
| . Stateful Ruleset
| . An Example Inclusive Ruleset
| . An Example NAT and Stateful
| Ruleset
|
________________________________________|______________________________________
It's obvious with just a quick glance that the proposed patch contains a hell
of a lot more material than the original chapter. It also removes some parts
that I consider useful[1]; it lacks a fair bit in the area of organization and
presentation of the topics discussed[2]; it contains several forward
references[3] and pushes with a bit more strength than I'd like for an
``inclusive'' type of firewall for all FreeBSD installations.
Most of these, especially the last point, are things I've discussed with
Joseph J. Barbish in the past on -questions and privately. Now that this has
finally (yeah, it was abou time!) started being integrated to the Handbook,
I'd like to ask for approval from Joseph, Brad (who put a tremendous amount of
work in this already), Ceri and our translators to hold back for a couple of
days until I reshape this a bit.
It's great stuff. I most certainly want it in the Handbook for 5.3-RELEASE.
But it's going to take at least a couple of days until I have something to
show you all, and I'm not sure if asking for a delay so close to the tagging
of the doc/ tree for 5.3-RELEASE is reasonable.
What do you all think? Do we have the time to spend a few days organizing,
enhancing and bringing this new wonderful piece of documentation into the
Handbook? It's a big diff (more than 3000 lines now) and I'm a bit worried
the translators won't really have the time to work on this even if it goes in
CVS tonight.
- Giorgos
PS: I don't have Joseph's email address anymore. Can someone (i.e. Brad)
forward this to him, in case he's not subscribed to the -doc list.
----- Notes -----
[1] I'm referring to the IPFW overhead section and the introductory material
of the original text which is IMHO in a better shape and contains a lot more
details about what this section is about, what a firewall is and why it's
useful.
[2] The sub-sections and sub-sub-sections of IPF and IPFW seem to be just a
mixed listing of concepts, commands, tools and ideas. I'd prefer something
that resembled `theoretical background' near the beginning and a `task driven'
list at the end of each different firewall-type with a lot of the common
theory stuff moved as far up as possible.
[3] For instance, in the IPF sub-section ``Building the Rule Script'' is
before the explanation of what a ``rule set'' is. There are a few more, but I
have to give a good look at this before I decide what's in the right place and
what is not.
More information about the freebsd-doc
mailing list