docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
John Ferrell
jdferrell3 at gmail.com
Sat Apr 21 03:09:51 UTC 2012
> Message-ID: <201204181750.q3IHo6s3087082 at freefall.freebsd.org>
>
> The following reply was made to PR docs/167056; it has been noted by GNATS.
>
> From: Remko Lodder <remko at elvandar.org>
> To: Joe Barbish <fbsd8 at a1poweruser.com>
> Cc: freebsd-gnats-submit at FreeBSD.org
> Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
> Date: Wed, 18 Apr 2012 19:44:44 +0200
>
> On Apr 18, 2012, at 2:37 PM, Joe Barbish wrote:
>
> >=20
> >> Number: 167056
> >> Category: docs
> >> Synopsis: ERROR Handbook 9.0, firewall section, PF from OpenBSD =
> 4.5
> >> Confidential: no
> >> Severity: critical
> >> Priority: high
> >> Responsible: freebsd-doc
> >> State: open
> >> Quarter: =20
> >> Keywords: =20
> >> Date-Required:
> >> Class: doc-bug
> >> Submitter-Id: current-users
> >> Arrival-Date: Wed Apr 18 12:40:02 UTC 2012
> >> Closed-Date:
> >> Last-Modified:
> >> Originator: Joe Barbish
> >> Release: 9.0
> >> Organization:
> > none
> >> Environment:
> >> Description:
> > ERROR Handbook 9.0, firewall section, PF firewall from OpenBSD 4.5
> > =
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.htm=
> l
>
> Is that an error? ;-)
>
> >=20
> > I am the original author [Joe Barbish] of the whole security firewall =
> section.=20
> >=20
> > Previous versions of the FreeBSD handbook had a detailed section on PF =
> including rule examples matching the version of PF included with FreeBSD =
> 9.0. But it was revised and updated by John Ferrell. What he did was to =
> remove a very large section containing example rules. It=82s obvious =
> this person was un-supervised and has no knowledge of PF or what the =
> real problem was.
>
> I think you should refrain from making these kind of assumptions. I =
> Remember more of these things from you in the past, you just shouldn't
> do this, people will not take you seriously. Or better said: I wont take =
> you serious if you talk like this. The changes were reviewed and =
> committed
> by a FreeBSD Committer, which means he had spend his time looking into =
> this and obviously not removing vital things that need to stay.
>
> The commit you seem to refer to is this one:
>
> =
> http://www.freebsd.org/cgi/cvsweb.cgi/doc/en_US.ISO8859-1/books/handbook/f=
> irewalls/chapter.sgml.diff?r1=3D1.82;r2=3D1.83
>
> There are no removal of large sections containg example rules in that =
> commit. So I think you must have been mistaken about the
> actual removal. Please demonstrate what commit you mean.
I am the John Ferrell that Joe is refering to. As Remko noted, the patch
I submitted did not remove any rules--there were no example rules in the
document at the time. The patch was commited in May 2008.
I suspect that when the rules were removed from the handbook it was because
the sample rules included with FreeBSD (/usr/share/examples/pf) and the man
pages cover many different scenarios.
> All that was needed was an additional statement in the FreeBSD =
> handbook security/PF section saying =84FreeBSD 9.0 is running a outdated =
> version of PF [4.5], at PF version [4.7] the syntax of the NAT and =
> ftp-proxy rule changed. The reader should keep in mind the below links =
> reference the OpenBSD 5.0 version of PF, but the sample PF rules shown =
> below do match the version of PF [4.5] included with FreeBSD 9.0. Then =
> add a comment to the NAT rule in the sample rules saying this is the =
> syntax for NAT usage in versions earlier than version 4.7 and then have =
> the new NAT rule with comment for version 4.7 and newer. Them when =
> FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or =
> 5.1 the links in the FreeBSD handbook would automatically become =
> meaningful.=20
I agree, it should be made more clear that OpenBSD's PF syntax differs from
that of FreeBSD's. If no one is working on this I'll be glad to submit a
patch.
John
More information about the freebsd-doc
mailing list