docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
Remko Lodder
remko at elvandar.org
Wed Apr 18 17:50:07 UTC 2012
The following reply was made to PR docs/167056; it has been noted by GNATS.
From: Remko Lodder <remko at elvandar.org>
To: Joe Barbish <fbsd8 at a1poweruser.com>
Cc: freebsd-gnats-submit at FreeBSD.org
Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
Date: Wed, 18 Apr 2012 19:44:44 +0200
On Apr 18, 2012, at 2:37 PM, Joe Barbish wrote:
>=20
>> Number: 167056
>> Category: docs
>> Synopsis: ERROR Handbook 9.0, firewall section, PF from OpenBSD =
4.5
>> Confidential: no
>> Severity: critical
>> Priority: high
>> Responsible: freebsd-doc
>> State: open
>> Quarter: =20
>> Keywords: =20
>> Date-Required:
>> Class: doc-bug
>> Submitter-Id: current-users
>> Arrival-Date: Wed Apr 18 12:40:02 UTC 2012
>> Closed-Date:
>> Last-Modified:
>> Originator: Joe Barbish
>> Release: 9.0
>> Organization:
> none
>> Environment:
>> Description:
> ERROR Handbook 9.0, firewall section, PF firewall from OpenBSD 4.5
> =
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.htm=
l
Is that an error? ;-)
>=20
> I am the original author [Joe Barbish] of the whole security firewall =
section.=20
>=20
> Previous versions of the FreeBSD handbook had a detailed section on PF =
including rule examples matching the version of PF included with FreeBSD =
9.0. But it was revised and updated by John Ferrell. What he did was to =
remove a very large section containing example rules. It=82s obvious =
this person was un-supervised and has no knowledge of PF or what the =
real problem was.
I think you should refrain from making these kind of assumptions. I =
Remember more of these things from you in the past, you just shouldn't
do this, people will not take you seriously. Or better said: I wont take =
you serious if you talk like this. The changes were reviewed and =
committed
by a FreeBSD Committer, which means he had spend his time looking into =
this and obviously not removing vital things that need to stay.
The commit you seem to refer to is this one:
=
http://www.freebsd.org/cgi/cvsweb.cgi/doc/en_US.ISO8859-1/books/handbook/f=
irewalls/chapter.sgml.diff?r1=3D1.82;r2=3D1.83
There are no removal of large sections containg example rules in that =
commit. So I think you must have been mistaken about the
actual removal. Please demonstrate what commit you mean.
>=20
>=20
> This is what the problem was.
> PF firewall is sourced from another project outside of Freebsd. PF is =
sourced from OpenBSD source. OpenBSD much like FreeBSD has its own =
firewall called PF. The version of PF matches the version of OpenBSD it =
comes from.=20
They are the same PF, they are not different in that regard. FreeBSD had =
ported it over so that it runs on our systems yes, but it's not =
different.
>=20
> The PF version running on Freebsd 9.0 matches the version included in =
Openbsd 4.5.=20
could be.
>=20
> The documentation on the Openbsd website for PF is for Openbsd 5.0 and =
it has warning saying "NOTE: NAT configuration was significantly =
different in earlier versions." This information is for OpenBSD 4.7.=20
Does that matter if we are at 4.5 as you mention? The handbook gives a =
few guidelines on how you can do things, but if you want to seriously =
use things, you need to get
yourself the clue needed anyway. Unless you think that the handbook =
should be a complete walkthrough for everyone that thinks he or she can =
configure things without
actually understanding the problem? I think that is not a good idea, the =
world needs serious people that can interpret an example and continue =
from that with their investigations
and information.
>=20
> http://pf4freebsd.love2party.net/ has more info about how backdated =
the 9.0 Freebsd production version of PF is.=20
>=20
I do not think this information is actually relevant.
>=20
> The center of the problem is the FreeBSD handbook Security section of =
PF had links to the PF firewall documentation of the OpenBSD handbook. =
At OpenBSD version 4.7 their PF firewall had a major rewrite changing =
the rule syntax for how NAT rules are coded and how their FTP proxy =
rules were to be coded. The current OpenBSD version is 5.0 with 5.1 =
going to be released soon. The OpenBSD handbook PF NAT section got =
updated at version 4.7 with PF contents describing their new NAT rule =
syntax, so the links in the FreeBSD handbook for PF firewall no longer =
matched the out dated [4.5] version included in FreeBSD 9.0.=20
I think the links are there for demonstration purposes, you might =
suggest to remove them if the information is hurting our users.
>=20
> John Ferrell=82s solution to this was to delete all the verbiage and =
links to the OpenBSD PF section of the OpenBSD handbook including the =
sample rule set that was in the FreeBSD handbook PF section. This was a =
major error in judgment on his part.
Dont do things like this.
>=20
> All that was needed was an additional statement in the FreeBSD =
handbook security/PF section saying =84FreeBSD 9.0 is running a outdated =
version of PF [4.5], at PF version [4.7] the syntax of the NAT and =
ftp-proxy rule changed. The reader should keep in mind the below links =
reference the OpenBSD 5.0 version of PF, but the sample PF rules shown =
below do match the version of PF [4.5] included with FreeBSD 9.0. Then =
add a comment to the NAT rule in the sample rules saying this is the =
syntax for NAT usage in versions earlier than version 4.7 and then have =
the new NAT rule with comment for version 4.7 and newer. Them when =
FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or =
5.1 the links in the FreeBSD handbook would automatically become =
meaningful.=20
It's not an outdated version, it's the version we use. That the source =
had continued development and made changes doesn't make it outdated on =
our end. There are active maintainers, Ermal for example
is doing work on pf and there are efforts on going to a newer version.
>=20
> I suggest the online FreeBSD handbook, have the security/PF section =
restored to its previous condition and the above changes made to it=82s =
content and that this is done before Freebsd 8.3 is released.
That wont happen. You are too late for that.
I'd suggest that you create an unified diff containing the information =
you suggest to include, then someone can review it and commit it if =
needed. if not, then it wont change.
In addition: please consider discussing this on the doc@ mailinglist so =
that you can actually get a consensus on how to proceed with this, =
instead of just blindly filing a PR and attacking
people with your fogged judgement.
Thank you^2.
>=20
>=20
>=20
>=20
>=20
>> How-To-Repeat:
>=20
>> Fix:
>=20
>=20
>> Release-Note:
>> Audit-Trail:
>> Unformatted:
> _______________________________________________
> freebsd-doc at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-doc
> To unsubscribe, send any mail to "freebsd-doc-unsubscribe at freebsd.org"
--=20
/"\ With kind regards, | remko at elvandar.org
\ / Remko Lodder | remko at FreeBSD.org
X FreeBSD | =
http://www.evilcoder.org
/ \ The Power to Serve | Quis custodiet ipsos custodes
More information about the freebsd-doc
mailing list