[PATCH] for the 'firewalls' chapter
Manolis Kiagias
sonic2000gr at gmail.com
Fri Apr 24 08:17:14 UTC 2009
Tom Rhodes wrote:
> Hey Manolis,
>
> My review, as promised, please see comments in line. I'm sorry
> it came so late! Thanks!
>
>
Thank you Tom! Integrated most of your changes and the patch and build
are updated:
http://people.freebsd.org/~manolis/firewalls.diff
http://www.freebsdgr.org/handbook-mine/firewalls.html
Few more comments below:
> <acronym>ALTQ</acronym> with
> - <acronym>PF</acronym>. Traffic shaping for <acronym>IPFILTER</acronym> can currently
> - be done with <acronym>IPFILTER</acronym> for NAT and filtering and
> + <acronym>PF</acronym>. Traffic shaping for IPFILTER can currently
> + be done with IPFILTER for NAT and filtering and
> <acronym>IPFW</acronym> with &man.dummynet.4;
>
> Too many "and" in this sentence. How about:
>
> "Traffic shaping for IPFILTER can currently be done with IPFILTER
> for NAT. IPFW filtering is handled via the &man.dummynet.4;
> driver ..."
>
> Perhaps the entire paragraph should be re-worded after we
> commit these other changes?
>
>
Yes, the entire paragraph makes no sense for me. If you (or anyone
else) can come up with an alternative, it would be nice to include in
this (already too long) patch...
> Are we using "rule set" or "ruleset" because up above it was just
> one word. We should come to a conclusion and run a %s/one/right one/g
> across this chapter then. :)
>
>
>
True. I changed everything to 'ruleset' for consistency.
> +
> <para>There is no way to match ranges of IP addresses which
> - do not express themselves easily as mask-length. See this
> + do not express themselves easily using the dotted numeric
> + form / mask-length notation. See this
> web page for help on writing mask-length: <ulink
> url="http://jodies.de/ipcalc"></ulink>.</para>
>
> It's a port too, that ipcalc utility. :)
>
>
>
Added this info too, thanks!
> <para>There are some additional configuration statements that
> need to be enabled to activate the <acronym>NAT</acronym>
> - function of IPFW. The kernel source needs 'option IPDIVERT'
> + function of IPFW. The kernel source needs <literal>option IPDIVERT</literal>
>
>
> I've always used:
>
> <programlisting>option SOMEOPTION</programlisting>
>
> But that's probably not a huge deal.
>
>
Well, I prefer <literal> for in-paragraph one liners and
<programlisting> for longer separate sections.
Cheers,
manolis@
More information about the freebsd-doc
mailing list