svn commit: r43997 - head/en_US.ISO8859-1/books/handbook/firewalls

Dru Lavigne dru at
Wed Feb 19 21:22:41 UTC 2014

Author: dru
Date: Wed Feb 19 21:22:40 2014
New Revision: 43997

  Initial editorial pass through intro of this chapter.
  Sponsored by: iXsystems


Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Wed Feb 19 20:38:58 2014	(r43996)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Wed Feb 19 21:22:40 2014	(r43997)
@@ -1509,8 +1509,8 @@ block drop out quick on $ext_if from any
     <para><application>IPFILTER</application>, also known as
       <application>IPF</application>, is a cross-platform, open source firewall which
-      has been ported to &os;, NetBSD, OpenBSD, and
-      &solaris; operating systems.</para>
+      has been ported to several operating systems, including &os;, NetBSD, OpenBSD, and
+      &solaris;.</para>
     <para><application>IPFILTER</application> is a kernel-side firewall and
       <acronym>NAT</acronym> mechanism that can be controlled and
@@ -1525,32 +1525,25 @@ block drop out quick on $ext_if from any
     <para><application>IPF</application> was originally written using a rule processing logic
       of <quote>the last matching rule wins</quote> and only used
-      stateless rules.  Over time, <application>IPF</application> has been enhanced to include a
-      <quote>quick</quote> option and a stateful
-      <quote>keep state</quote> option which modernized the rules
-      processing logic.  <application>IPF</application>'s official documentation covers only the
-      legacy rule coding parameters and rule file processing logic and
-      the modernized functions are only included as additional
-      options.</para>
-    <para>The instructions contained in this section are based on
-      using rules that contain <quote>quick</quote> and
-      <quote>keep state</quote> as these provide the basic framework
-      for configuring an inclusive firewall ruleset.</para>
+      stateless rules.  Since then, <application>IPF</application> has been enhanced to include
+      the <literal>quick</literal> and
+      <literal>keep state</literal> options.</para>
     <para>For a detailed explanation of the legacy rules processing
       method, refer to <uri
-	xlink:href=""></uri>
-      and <uri
     <para>The <application>IPF</application> FAQ is at <uri
-	xlink:href=""></uri>.</para>
-    <para>A searchable archive of the IPFilter mailing list is
+	xlink:href=""></uri>.
+      A searchable archive of the IPFilter mailing list is
       available at <uri
-	xlink:href=""></uri>.</para>
+	xlink:href=""></uri>.</para>
+    <para>This section of the Handbook focuses on
+      <application>IPF</application> as it pertains to FreeBSD.
+      It provides examples which uses
+      rules that contain the <literal>quick</literal> and
+      <literal>keep state</literal> options.</para>
       <title>Enabling <application>IPF</application></title>
@@ -1560,7 +1553,7 @@ block drop out quick on $ext_if from any
-      <para> is included in the basic &os; install as a kernel
+      <para><application>IPF</application> is included in the basic &os; install as a kernel
 	loadable module, meaning that a custom kernel is not needed in
 	order to enable <application>IPF</application>.</para>
@@ -1590,22 +1583,21 @@ block drop out quick on $ext_if from any
       <para>For users who prefer to statically compile <application>IPF</application> support
 	into a custom kernel, refer to the instructions in <xref
-	  linkend="kernelconfig"/>.  The following <application>IPF</application> option statements are
+	  linkend="kernelconfig"/>.  The following kernel options are
       <programlisting>options IPFILTER
 options IPFILTER_DEFAULT_BLOCK</programlisting>
       <para>where <literal>options IPFILTER</literal> enables support for
-	<application>IPFILTER</application>.</para>
-      <para><literal>options IPFILTER_LOG</literal> enables IPF
+	<application>IPFILTER</application>, <literal>options IPFILTER_LOG</literal> enables <application>IPF</application>
 	logging using the <filename>ipl</filename> packet logging
-	pseudo—device for every rule that has the
-	<literal>log</literal> keyword.</para>
-      <para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
+	pseudo device for every rule that has the
+	<literal>log</literal> keyword,
+	<literal>IPFILTER_LOOKUP</literal> enables <acronym>IP</acronym> pools in
+	order to speed up <acronym>IP</acronym> lookups, and <literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
 	the default behavior so that any packet not matching a
 	firewall <literal>pass</literal> rule gets blocked.</para>
@@ -1614,7 +1606,8 @@ options IPFILTER_DEFAULT_BLOCK</programl
 	the following entries to
 	<filename>/etc/rc.conf</filename>.  These entries will also enable logging and
 	<literal>default pass all</literal>.  To change the
-	default to <literal>block all</literal>, add a
+	default policy to <literal>block all</literal> without 
+	compiling a custom kernel, remember to add a
 	<literal>block all</literal> rule at the end of the
@@ -1633,7 +1626,7 @@ ipmon_flags="-Ds"                 # D = 
 ipnat_enable="YES"                # Start ipnat function
 ipnat_rules="/etc/ipnat.rules"    # rules definition file for ipnat</programlisting>
-      <para>To start <application>IPF</application> now:</para>
+      <para>Then, to start <application>IPF</application> now:</para>
       <programlisting>&prompt.root; <command>service ipfilter start</command></programlisting>

More information about the svn-doc-all mailing list