From nobody Fri Dec 29 12:06:06 2023 X-Original-To: dev-commits-doc-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T1kcH1sylz55ygs for ; Fri, 29 Dec 2023 12:06:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4T1kcH1MfKz3RSL; Fri, 29 Dec 2023 12:06:07 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1703851567; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8ES7vPy3dWSYivttoTDIYGRgWW9oRlEANYLQbDRk2s4=; b=aFEdFeCNzL8iL8iqkEj192MYL17PGKiorPcQtLnBUn4VowyuntaKBAW9cScrmgeQZrBPtQ IWHHfm1iF6rOwO4jfOuuaWN/hl3PufZG9l6xSdsqStN1a8BzJi/eBak6JEwQWtJm2hFcyt +c7t5wJ435FRZtytGegbx6reCR34EXNtGL8sZoBO0mmi4/sgRd7vQqOtREN4//p9uxz1Mp 99vmeSPIiXacaqhhcwupkhhQgUcMWA8UT018uDK8lVLtbO+AtkdP13mAenoQvONrU2knUb DsbdFVZk/S3tWC/MZxKdvX5E0RUV+cQc0ky/avjRjtVvoJsjYbyF+lkDDMyj5A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1703851567; a=rsa-sha256; cv=none; b=x5lyn8TyMYwwWhHM+fEopnq1K8EXIGFxb4NNbc34M7iBEsiqmDMyBNQ1JFjcvXs4QzBoNI 2xDmpYoeTumwh7yAenTmLlLLHBrocyXlHHxnJuFnFORHcEGHDIcHwT/bX89EdM2ezlxeZq i7ZjX5R4BSl3vQtjvX8MVSJK5tdxhtirg9iKMKZs/vZ1drWUyxVWbFz5x/LJzNXm56/UDe aZyMP9Jyjy79x6yE/uqqtGEjlK1o4LxhJ35R6ZSckMiG62kaQ+Et41IiWz0gZoGcTT51KB G2VFSbfJ1D0lcapP8EFrs37EDHKbe/q5Dg3xjSukJXFj9sJet4xEhyxZrol8ew== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1703851567; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=8ES7vPy3dWSYivttoTDIYGRgWW9oRlEANYLQbDRk2s4=; b=WoPriy+evq9UF5tyuk9EslmVJFMvybay6lbvaCA6BDQcv9lyJZC+XDvETAhR5Ug+9HSoYj k+/dNzasruP7QIe7Sd4AdSONi3/C/TeTkjusuHxrSumygQygOm+rdLsDDXbTDLHPj7HLrC /Ic+jFfEUem0o0ThXSbymuAPxH3eq92DugbT7fCdX/tugG+3YsRQjpcQ4CUWBDQkdLP586 i0TcV5xpyLoZhXsdcfyxT036V1FrRnSy1b9kUIelt05oglDVNNnyX+PzJLbpm0nuVLveWd YibvlKxQdbAQ0xsM5QxoJDGVC8aw8rsBOhTOw1jt12tJXJi4kc1Y90+98km0dg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T1kcH0TmXz1519; Fri, 29 Dec 2023 12:06:07 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 3BTC66R0066264; Fri, 29 Dec 2023 12:06:06 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 3BTC66wk066261; Fri, 29 Dec 2023 12:06:06 GMT (envelope-from git) Date: Fri, 29 Dec 2023 12:06:06 GMT Message-Id: <202312291206.3BTC66wk066261@gitrepo.freebsd.org> To: doc-committers@FreeBSD.org, dev-commits-doc-all@FreeBSD.org From: Benedict Reuschling Subject: git: f0950bd41a - main - Whitespace fixes at the end of line List-Id: Commit messages for all branches of the doc repository List-Archive: https://lists.freebsd.org/archives/dev-commits-doc-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-doc-all@freebsd.org X-BeenThere: dev-commits-doc-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: bcr X-Git-Repository: doc X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: f0950bd41a500237aaf3a5890f6b1ebe916db5dc Auto-Submitted: auto-generated The branch main has been updated by bcr: URL: https://cgit.FreeBSD.org/doc/commit/?id=f0950bd41a500237aaf3a5890f6b1ebe916db5dc commit f0950bd41a500237aaf3a5890f6b1ebe916db5dc Author: Benedict Reuschling AuthorDate: 2023-12-29 12:05:52 +0000 Commit: Benedict Reuschling CommitDate: 2023-12-29 12:05:52 +0000 Whitespace fixes at the end of line --- documentation/content/en/articles/filtering-bridges/_index.adoc | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/documentation/content/en/articles/filtering-bridges/_index.adoc b/documentation/content/en/articles/filtering-bridges/_index.adoc index 5452add1bc..1ef6adc085 100644 --- a/documentation/content/en/articles/filtering-bridges/_index.adoc +++ b/documentation/content/en/articles/filtering-bridges/_index.adoc @@ -168,7 +168,7 @@ If so, the next step is to add the `net.link.ether.bridge._[blah]_=_[blah]_` por Now it is time to create your own file with custom firewall rules, to secure the inside network. There will be some complication in doing this because not all of the firewall functionalities are available on bridged packets. -Furthermore, there is a difference between the packets that are in the process of being forwarded and packets that are being received by the local machine. +Furthermore, there is a difference between the packets that are in the process of being forwarded and packets that are being received by the local machine. In general, incoming packets are run through the firewall only once, not twice as is normally the case; in fact they are filtered only upon receipt, so rules that use `out` or `xmit` will never match. Personally, I use `in via` which is an older syntax, but one that has a sense when you read it. Another limitation is that you are restricted to use only `pass` or `drop` commands for packets filtered by a bridge. @@ -271,12 +271,12 @@ Note that for "relay" and "ns" to work, name service lookups must work _before_ This is an example of making sure that you set the IP on the correct network card. Alternatively it is possible to specify the IP address instead of the host name (required if the machine is IP-less). -People that are used to setting up firewalls are probably also used to either having a `reset` or a `forward` rule for ident packets (TCP port 113). +People that are used to setting up firewalls are probably also used to either having a `reset` or a `forward` rule for ident packets (TCP port 113). Unfortunately, this is not an applicable option with the bridge, so the best thing is to simply pass them to their destination. As long as that destination machine is not running an ident daemon, this is relatively harmless. The alternative is dropping connections on port 113, which creates some problems with services like IRC (the ident probe must timeout). -The only other thing that is a little weird that you may have noticed is that there is a rule to let the bridge machine speak, and another for internal hosts. +The only other thing that is a little weird that you may have noticed is that there is a rule to let the bridge machine speak, and another for internal hosts. Remember that this is because the two sets of traffic will take different paths through the kernel and into the packet filter. The inside net will go through the bridge, while the local machine will use the normal IP stack to speak. Thus the two rules to handle the different cases.