[PATCH] for the 'firewalls' chapter

Fri Apr 24 08:55:32 UTC 2009

On Fri, 24 Apr 2009 11:17:07 +0300
Manolis Kiagias <sonic2000gr at gmail.com> wrote:

> Tom Rhodes wrote:
> > Hey Manolis,
> >
> > My review, as promised, please see comments in line.  I'm sorry
> > it came so late!  Thanks!
> >
> >   
> 
> Thank you Tom! Integrated most of your changes and the patch and build
> are updated:
> 
> http://people.freebsd.org/~manolis/firewalls.diff
> 
> http://www.freebsdgr.org/handbook-mine/firewalls.html
> 
> Few more comments below:
> >     <acronym>ALTQ</acronym> with
> > -      <acronym>PF</acronym>.  Traffic shaping for <acronym>IPFILTER</acronym> can currently
> > -      be done with <acronym>IPFILTER</acronym> for NAT and filtering and
> > +      <acronym>PF</acronym>.  Traffic shaping for IPFILTER can currently
> > +      be done with IPFILTER for NAT and filtering and
> >        <acronym>IPFW</acronym> with &man.dummynet.4;
> >
> > Too many "and" in this sentence.  How about:
> >
> > "Traffic shaping for IPFILTER can currently be done with IPFILTER
> > for NAT.  IPFW filtering is handled via the &man.dummynet.4;
> > driver ..."
> >
> > Perhaps the entire paragraph should be re-worded after we
> > commit these other changes?
> >
> >   
> 
> Yes, the entire paragraph makes no sense for me.   If you (or anyone
> else) can come up with an alternative, it would be nice to include in
> this (already too long) patch...

Good.  :)

I just tried and really, perhaps it's just too early, but I'm
at a loss.

> 
> > Are we using "rule set" or "ruleset" because up above it was just
> > one word.  We should come to a conclusion and run a %s/one/right one/g
> > across this chapter then.  :)
> >
> >
> >   
> 
> True. I changed everything to 'ruleset' for consistency.

Awesome.

> 
> > +	
> >  	<para>There is no way to match ranges of IP addresses which
> > -	  do not express themselves easily as mask-length.  See this
> > +	  do not express themselves easily using the dotted numeric
> > +	  form / mask-length notation.  See this
> >  	  web page for help on writing mask-length: <ulink
> >  	    url="http://jodies.de/ipcalc"></ulink>.</para>
> >
> > It's a port too, that ipcalc utility.  :)
> >
> >
> >   
> 
> Added this info too, thanks!

Awesome.

> 
> >  	<para>There are some additional configuration statements that
> >  	  need to be enabled to activate the <acronym>NAT</acronym>
> > -	  function of IPFW.  The kernel source needs 'option IPDIVERT'
> > +	  function of IPFW.  The kernel source needs <literal>option IPDIVERT</literal>
> >
> >
> > I've always used:
> >
> > <programlisting>option	SOMEOPTION</programlisting>
> >
> > But that's probably not a huge deal.
> >
> >   
> 
> Well, I prefer <literal> for in-paragraph one liners and
> <programlisting> for longer separate sections.

Sure, I'm fine with that.  :)

-- 
Tom Rhodes