svn commit: r43914 - head/en_US.ISO8859-1/books/handbook/firewalls

From: Dru Lavigne <dru_at_FreeBSD.org>
Date: Thu, 13 Feb 2014 23:55:25 +0000 (UTC)
Author: dru
Date: Thu Feb 13 23:55:24 2014
New Revision: 43914
URL: http://svnweb.freebsd.org/changeset/doc/43914

Log:
  Shuffle the first part of this chapter to improve its readability.
  Many more commits to come.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Thu Feb 13 23:21:17 2014	(r43913)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Thu Feb 13 23:55:24 2014	(r43914)
_at__at_ -215,7 +215,7 _at__at_
       integrated part of the base system.
       <application>PF</application> is a complete, full-featured
       firewall that has optional support for
-      <acronym>ALTQ</acronym> (Alternate Queuing), which provides
+      <application>ALTQ</application> (Alternate Queuing), which provides
       Quality of Service (<acronym>QoS</acronym>).</para>
 
     <para>Since the OpenBSD Project maintains the definitive
_at__at_ -230,21 +230,25 _at__at_
 	xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
 
     <sect2>
-      <title>Using the PF Loadable Kernel Modules</title>
+      <title>Enabling <application>PF</application></title>
 
-      <para>In order to use PF, the PF kernel module must be first
+      <para>In order to use <application>PF</application>, its module must be first
 	loaded.  Add the following line to
 	<filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>pf_enable="YES"</programlisting>
 
-      <para>Then, run the startup script to load the module:</para>
-
-      <screen>&prompt.root; <userinput>service pf start</userinput></screen>
-
-      <para>The PF module will not load if it cannot find the
-	ruleset configuration file.  The default location is
-	<filename>/etc/pf.conf</filename>.  If the PF ruleset is
+      <para>Additional options can be passed to
+	<application>PF</application> when it is started.  Refer to
+	&man.pfctl.8; for the available options and specify any
+	required flags by
+	adding another entry to <filename>/etc/rc.conf</filename>:</para>
+      
+      <programlisting>pf_flags=""                     # additional flags for pfctl startup</programlisting>
+
+      <para>The module will not load if it cannot find the
+	ruleset configuration file.  A default ruleset is located
+	<filename>/etc/pf.conf</filename>.  If a custom ruleset is
 	located somewhere else, add a line to
 	<filename>/etc/rc.conf</filename> which specifies the full
 	path to the file:</para>
_at__at_ -253,26 +257,34 _at__at_
 
       <para>The sample <filename>pf.conf</filename>
 	can be found in
-	<filename>/usr/share/examples/pf/</filename>.</para>
-
-      <para>The <application>PF</application> module can also be
-	loaded manually from the command line:</para>
-
-      <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
+	<filename>/usr/share/examples/pf/</filename>.  The rest of
+	this chapter demonstrates how to create a custom ruleset.</para>
+ 
+      <para>Then, run the startup script to load the module:</para>
 
-      <para>Logging support for PF is provided by
-	<varname>pflog.ko</varname> which can be loaded by adding the
+      <screen>&prompt.root; <userinput>service pf start</userinput></screen>
+      <para>Logging support for <application>PF</application> is provided by
+	&man.pflog.4; which can be loaded by adding the
 	following line to <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>pflog_enable="YES"</programlisting>
 
-      <para>Then, run the startup script to load the module:</para>
+      <para>The following &man.rc.conf.5; statements can also be used to
+	change the default location of the log file or to specify any
+	additional flags:</para>
+
+ <programlisting>pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
+pflog_flags=""                  # additional flags for pflogd startup</programlisting>
+
+      <para>Save the edits, then run the startup script to load the logging module:</para>
 
       <screen>&prompt.root; <userinput>service pflog start</userinput></screen>
-    </sect2>
 
-    <sect2>
-      <title>PF Kernel Options</title>
+      <para>If there is a <acronym>LAN</acronym> behind the firewall and packets need to
+	be forwarded for the computers on the <acronym>LAN</acronym>, or <acronym>NAT</acronym> is required,
+	add the following option:</para>
+
+      <programlisting>gateway_enable="YES"            # Enable as LAN gateway</programlisting>
 
       <indexterm>
 	<primary>kernel options</primary>
_at__at_ -289,6 +301,7 _at__at_
 	<secondary>device pfsync</secondary>
       </indexterm>
 
+      <note>
       <para>While it is not necessary to compile
 	<application>PF</application> support into the &os; kernel,
 	some of PF's advanced features are not included in the
_at__at_ -297,12 +310,10 _at__at_
 	used by <application>PF</application>.  It can be paired with
 	&man.carp.4; to create failover firewalls using
 	<application>PF</application>.  More information on
-	<acronym>CARP</acronym> can be found in <link
-	  linkend="carp">of the Handbook</link>.</para>
+	<acronym>CARP</acronym> can be found in <xref linkend="carp"/>.</para>
 
       <para>The following <application>PF</application> kernel options
-	can be found in
-	<filename>/usr/src/sys/conf/NOTES</filename>:</para>
+	are available:</para>
 
       <programlisting>device pf
 device pflog
_at__at_ -319,27 +330,7 _at__at_ device pfsync</programlisting>
       <para><literal>device pfsync</literal> enables the optional
 	&man.pfsync.4; pseudo-network device that is used to monitor
 	<quote>state changes</quote>.</para>
-    </sect2>
-
-    <sect2>
-      <title>Available <filename>rc.conf</filename> Options</title>
-
-      <para>The following &man.rc.conf.5; statements can be used to
-	configure <application>PF</application> and &man.pflog.4; at
-	boot:</para>
-
-      <programlisting>pf_enable="YES"                 # Enable PF (load module if required)
-pf_rules="/etc/pf.conf"         # rules definition file for pf
-pf_flags=""                     # additional flags for pfctl startup
-pflog_enable="YES"              # start pflogd(8)
-pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
-pflog_flags=""                  # additional flags for pflogd startup</programlisting>
-
-      <para>If there is a LAN behind the firewall and packets need to
-	be forwarded for the computers on the LAN, or NAT is required,
-	add the following option:</para>
-
-      <programlisting>gateway_enable="YES"            # Enable as LAN gateway</programlisting>
+    </note>
     </sect2>
 
     <sect2>
Received on Thu Feb 13 2014 - 23:55:25 UTC