svn commit: r40732 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Thu Jan 24 14:28:06 UTC 2013
Author: dru
Date: Thu Jan 24 14:28:05 2013
New Revision: 40732
URL: http://svnweb.freebsd.org/changeset/doc/40732
Log:
Minor content fix which addresses incorrect usage of it's, Let's, and
most redundant word errors.
Approved by: bcr (mentor)
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Jan 24 10:39:46 2013 (r40731)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Thu Jan 24 14:28:05 2013 (r40732)
@@ -720,7 +720,7 @@ ipnat_rules="/etc/ipnat.rules" # rule
as a result of applying the user coded rules against packets
going in and out of the firewall since it was last started,
or since the last time the accumulators were reset to zero
- by the <command>ipf -Z</command> command.</para>
+ using <command>ipf -Z</command>.</para>
<para>See the &man.ipfstat.8; manual page for details.</para>
@@ -776,8 +776,8 @@ ipnat_rules="/etc/ipnat.rules" # rule
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
- <para>One of the most important functions of the
- <command>ipfstat</command> command is the <option>-t</option>
+ <para>One of the most important functions of
+ <command>ipfstat</command> is the <option>-t</option>
flag which displays the state table in a way similar to the
way &man.top.1; shows the &os; running process table. When
your firewall is under attack, this function gives you the
@@ -813,7 +813,7 @@ ipnat_rules="/etc/ipnat.rules" # rule
automatically rotate system logs. That is why outputting the
log information to &man.syslogd.8; is better than the default
of outputting to a regular file. In the default
- <filename>rc.conf</filename> file, the
+ <filename>rc.conf</filename>, the
<literal>ipmon_flags</literal> statement uses the
<option>-Ds</option> flags:</para>
@@ -866,8 +866,8 @@ LOG_ERR - packets which have been logged
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
<para>The &man.syslogd.8; function is controlled by definition
- statements in the <filename>/etc/syslog.conf</filename> file.
- The <filename>syslog.conf</filename> file offers considerable
+ statements in <filename>/etc/syslog.conf</filename>.
+ This file offers considerable
flexibility in how <application>syslog</application> will
deal with system messages issued by software applications
like IPF.</para>
@@ -915,7 +915,7 @@ LOG_ERR - packets which have been logged
</listitem>
<listitem>
- <para>The group and rule number of the rule, e.g.
+ <para>The group and rule number of the rule, e.g.,
<literal>@0:17</literal>.</para>
</listitem>
</orderedlist>
@@ -1053,7 +1053,7 @@ EOF
<listitem>
<para>Disable IPFILTER in system startup scripts by adding
<literal>ipfilter_enable="NO"</literal> (this is default
- value) into <filename>/etc/rc.conf</filename> file.</para>
+ value) to <filename>/etc/rc.conf</filename>.</para>
<para>Add a script like the following to your
<filename
@@ -1541,8 +1541,8 @@ sh /etc/ipf.rules.script</programlisting
operating system of your server.</para>
<para>Any time there are logged messages on a rule with
- the <literal>log first</literal> option, an
- <command>ipfstat -hio</command> command should be executed
+ the <literal>log first</literal> option,
+ <command>ipfstat -hio</command> should be executed
to evaluate how many times the rule has actually matched.
Large number of matches usually indicate that the system is
being flooded (i.e.: under attack).</para>
@@ -1710,7 +1710,7 @@ block in log first quick on dc0 proto tc
block in log first quick on dc0 proto tcp/udp from any to any port = 81
# Allow traffic in from ISP's DHCP server. This rule must contain
-# the IP address of your ISP's DHCP server as it's the only
+# the IP address of your ISP's DHCP server as it is the only
# authorized source to send this packet type. Only necessary for
# cable or DSL configurations. This rule is not needed for
# 'user ppp' type connection to the public Internet.
@@ -1772,7 +1772,7 @@ block in log first quick on dc0 all
dynamic IP address is used to identify your system to the
public Internet.</para>
- <para>Now lets say you have five PCs at home and each one needs
+ <para>Say you have five PCs at home and each one needs
Internet access. You would have to pay your ISP for an
individual Internet account for each PC and have five phone
lines.</para>
@@ -1847,16 +1847,16 @@ block in log first quick on dc0 all
<indexterm><primary><command>ipnat</command></primary></indexterm>
- <para><acronym>NAT</acronym> rules are loaded by using the
- <command>ipnat</command> command. Typically the
+ <para><acronym>NAT</acronym> rules are loaded by using
+ <command>ipnat</command>. Typically the
<acronym>NAT</acronym> rules are stored in
<filename>/etc/ipnat.rules</filename>. See &man.ipnat.8; for
details.</para>
<para>When changing the <acronym>NAT</acronym> rules after
<acronym>NAT</acronym> has been started, make your changes to
- the file containing the NAT rules, then run the
- <command>ipnat</command> command with the <option>-CF</option>
+ the file containing the NAT rules, then run
+ <command>ipnat</command> with the <option>-CF</option>
flags to delete the internal in use <acronym>NAT</acronym>
rules and flush the contents of the translation table of all
active entries.</para>
@@ -2304,8 +2304,8 @@ net.inet.ip.fw.verbose_limit=5</programl
<programlisting>firewall_enable="YES"</programlisting>
<para>To select one of the default firewall types provided by
- &os;, select one by reading the
- <filename>/etc/rc.firewall</filename> file and place it in
+ &os;, select one by reading
+ <filename>/etc/rc.firewall</filename> and place it in
the following:</para>
<programlisting>firewall_type="open"</programlisting>
@@ -2388,8 +2388,7 @@ ipfw add deny out</programlisting>
linkend="firewalls-ipfw-enable"/>). There is no
<filename>rc.conf</filename> variable to set log
limitations, but it can be set via sysctl variable, manually
- or from the <filename>/etc/sysctl.conf</filename>
- file:</para>
+ or from <filename>/etc/sysctl.conf</filename>:</para>
<programlisting>net.inet.ip.fw.verbose_limit=5</programlisting>
</warning>
@@ -2610,8 +2609,7 @@ ipfw add deny out</programlisting>
cases, a value of zero removes the logging limit. Once
the limit is reached, logging can be re-enabled by
clearing the logging counter or the packet counter for
- that rule, see the <command>ipfw reset log</command>
- command.</para>
+ that rule, use <command>ipfw reset log</command>.</para>
<note>
<para>Logging is done after
@@ -2779,7 +2777,7 @@ ipfw add deny out</programlisting>
down attackers.</para>
<para>Even with the logging facility enabled, IPFW will not
- generate any rule logging on it's own. The firewall
+ generate any rule logging on its own. The firewall
administrator decides what rules in the ruleset will be
logged, and adds the <literal>log</literal> verb to those
rules. Normally only deny rules are logged, like the deny
@@ -2816,9 +2814,8 @@ ipfw add deny out</programlisting>
<programlisting>last message repeated 45 times</programlisting>
<para>All logged packets messages are written by default to
- <filename>/var/log/security</filename> file, which is
- defined in the <filename>/etc/syslog.conf</filename>
- file.</para>
+ <filename>/var/log/security</filename>, which is
+ defined in <filename>/etc/syslog.conf</filename>.</para>
</sect3>
<sect3 id="firewalls-ipfw-rules-script">
@@ -2864,8 +2861,8 @@ ks="keep-state" # just too lazy t
in this example, how the symbolic substitution field are
populated and used are.</para>
- <para>If the above example was in the
- <filename>/etc/ipfw.rules</filename> file, the rules could
+ <para>If the above example was in
+ <filename>/etc/ipfw.rules</filename>, the rules could
be reloaded by entering the following on the command
line.</para>
@@ -3223,7 +3220,7 @@ natd_flags="-dynamic -m" # -m
<literal>skipto rule 500</literal> for the network address
translation.</para>
- <para>Lets say a LAN user uses their web browser to get a web
+ <para>Say a LAN user uses their web browser to get a web
page. Web pages are transmitted over port 80. So the
packet enters the firewall. It does not match rule 100
because it is headed out rather than in. It passes rule
@@ -3231,7 +3228,7 @@ natd_flags="-dynamic -m" # -m
posted to the keep-state dynamic table yet. The packet
finally comes to rule 125 a matches. It is outbound through
the NIC facing the public Internet. The packet still has
- it's source IP address as a private LAN IP address. On
+ its source IP address as a private LAN IP address. On
the match to this rule, two actions take place. The
<literal>keep-state</literal> option will post this rule
into the keep-state dynamic rules table and the specified
@@ -3254,14 +3251,14 @@ natd_flags="-dynamic -m" # -m
entry is found, the associated action,
<literal>skipto 500</literal>, is executed. The packet
jumps to rule 500 gets <acronym>NAT</acronym>ed and released
- on it's way out.</para>
+ on its way out.</para>
<para>On the inbound side, everything coming in that is part
of an existing session conversation is being automatically
handled by the <literal>check-state</literal> rule and the
properly placed <literal>divert natd</literal> rules. All
we have to address is denying all the bad packets and only
- allowing in the authorized services. Lets say there is an
+ allowing in the authorized services. Say there is an
apache server running on the firewall box and we want people
on the public Internet to be able to access the local web
site. The new inbound start request packet matches rule
@@ -3454,7 +3451,7 @@ pif="rl0" # public interface name of
$cmd 332 deny tcp from any to any established in via $pif
# Allow traffic in from ISP's DHCP server. This rule must contain
-# the IP address of your ISP's DHCP server as it's the only
+# the IP address of your ISP's DHCP server as it is the only
# authorized source to send this packet type.
# Only necessary for cable or DSL configurations.
# This rule is not needed for 'user ppp' type connection to
More information about the svn-doc-head
mailing list