From nobody@FreeBSD.org  Wed Apr 18 12:37:21 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C1E84106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 18 Apr 2012 12:37:21 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id A1AEE8FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 18 Apr 2012 12:37:21 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q3ICbL09031491
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 18 Apr 2012 12:37:21 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q3ICbLdi031490;
	Wed, 18 Apr 2012 12:37:21 GMT
	(envelope-from nobody)
Message-Id: <201204181237.q3ICbLdi031490@red.freebsd.org>
Date: Wed, 18 Apr 2012 12:37:21 GMT
From: Joe Barbish <fbsd8@a1poweruser.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         167056
>Category:       docs
>Synopsis:       ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 18 12:40:02 UTC 2012
>Closed-Date:    Wed Apr 18 18:45:22 UTC 2012
>Last-Modified:  Sat Apr 21 05:50:07 UTC 2012
>Originator:     Joe Barbish
>Release:        9.0
>Organization:
none
>Environment:
>Description:
ERROR Handbook 9.0, firewall section, PF firewall from OpenBSD 4.5
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.html

I am the original author [Joe Barbish] of the whole security firewall section. 

Previous versions of the FreeBSD handbook had a detailed section on PF including rule examples matching the version of PF included with FreeBSD 9.0. But it was revised and updated by John Ferrell. What he did was to remove a very large section containing example rules. Its obvious this person was un-supervised and has no knowledge of PF or what the real problem was.

 
This is what the problem was.
PF firewall is sourced from another project outside of Freebsd. PF is sourced from OpenBSD source. OpenBSD much like FreeBSD has its own firewall called PF. The version of PF matches the version of OpenBSD it comes from. 

The PF version running on Freebsd 9.0 matches the version included in Openbsd 4.5. 

The documentation on the Openbsd website for PF is for Openbsd 5.0 and it has warning saying "NOTE: NAT configuration was significantly different in earlier versions." This information is for OpenBSD 4.7. 

http://pf4freebsd.love2party.net/ has more info about how backdated the 9.0 Freebsd production version of PF is. 


The center of the problem is the FreeBSD handbook Security section of PF had links to the PF firewall documentation of the OpenBSD handbook. At OpenBSD version 4.7 their PF firewall had a major rewrite changing the rule syntax for how NAT rules are coded and how their FTP proxy rules were to be coded. The current OpenBSD version is 5.0 with 5.1 going to be released soon. The OpenBSD handbook PF NAT section got updated at version 4.7 with PF contents describing their new NAT rule syntax, so the links in the FreeBSD handbook for PF firewall no longer matched the out dated [4.5] version included in FreeBSD 9.0. 

John Ferrells solution to this was to delete all the verbiage and links to the OpenBSD PF section of the OpenBSD handbook including the sample rule set that was in the FreeBSD handbook PF section. This was a major error in judgment on his part.

All that was needed was an additional statement in the FreeBSD handbook security/PF section saying FreeBSD 9.0 is running a outdated version of PF [4.5], at PF version [4.7] the syntax of the NAT and ftp-proxy rule changed. The reader should keep in mind the below links reference the OpenBSD 5.0 version of PF, but the sample PF rules shown below do match the version of PF [4.5] included with FreeBSD 9.0. Then add a comment to the NAT rule in the sample rules saying this is the syntax for NAT usage in versions earlier than version 4.7 and then have the new NAT rule with comment for version 4.7 and newer. Them when FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or 5.1 the links in the FreeBSD handbook would automatically become meaningful. 

I suggest the online FreeBSD handbook, have the security/PF section restored to its previous condition and the above changes made to its content and that this is done before Freebsd 8.3 is released.

       



>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: remko 
State-Changed-When: Wed Apr 18 17:45:26 UTC 2012 
State-Changed-Why:  
Awaiting consensus and/or patches. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167056 

From: Remko Lodder <remko@elvandar.org>
To: Joe Barbish <fbsd8@a1poweruser.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from OpenBSD 4.5
Date: Wed, 18 Apr 2012 19:44:44 +0200

 On Apr 18, 2012, at 2:37 PM, Joe Barbish wrote:
 
 >> Description:
 > ERROR Handbook 9.0, firewall section, PF firewall from OpenBSD 4.5
 > =
 http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-pf.htm=
 l
 
 Is that an error? ;-)
 
 > I am the original author [Joe Barbish] of the whole security firewall =
 section.=20
 >=20
 > Previous versions of the FreeBSD handbook had a detailed section on PF =
 including rule examples matching the version of PF included with FreeBSD =
 9.0. But it was revised and updated by John Ferrell. What he did was to =
 remove a very large section containing example rules. It=82s obvious =
 this person was un-supervised and has no knowledge of PF or what the =
 real problem was.
 
 I think you should refrain from making these kind of assumptions. I =
 Remember more of these things from you in the past, you just shouldn't
 do this, people will not take you seriously. Or better said: I wont take =
 you serious if you talk like this. The changes were reviewed and =
 committed
 by a FreeBSD Committer, which means he had spend his time looking into =
 this and obviously not removing vital things that need to stay.
 
 The commit you seem to refer to is this one:
 
 =
 http://www.freebsd.org/cgi/cvsweb.cgi/doc/en_US.ISO8859-1/books/handbook/f=
 irewalls/chapter.sgml.diff?r1=3D1.82;r2=3D1.83
 
 There are no removal of large sections containg example rules in that =
 commit. So I think you must have been mistaken about the
 actual removal. Please demonstrate what commit you mean.
 
 > This is what the problem was.
 > PF firewall is sourced from another project outside of Freebsd. PF is =
 sourced from OpenBSD source. OpenBSD much like FreeBSD has its own =
 firewall called PF. The version of PF matches the version of OpenBSD it =
 comes from.=20
 
 They are the same PF, they are not different in that regard. FreeBSD had =
 ported it over so that it runs on our systems yes, but it's not =
 different.
 
 > The PF version running on Freebsd 9.0 matches the version included in =
 Openbsd 4.5.=20
 
 could be.
 
 > The documentation on the Openbsd website for PF is for Openbsd 5.0 and =
 it has warning saying "NOTE: NAT configuration was significantly =
 different in earlier versions." This information is for OpenBSD 4.7.=20
 
 Does that matter if we are at 4.5 as you mention? The handbook gives a =
 few guidelines on how you can do things, but if you want to seriously =
 use things, you need to get
 yourself the clue needed anyway. Unless you think that the handbook =
 should be a complete walkthrough for everyone that thinks he or she can =
 configure things without
 actually understanding the problem? I think that is not a good idea, the =
 world needs serious people that can interpret an example and continue =
 from that with their investigations
 and information.
 
 > http://pf4freebsd.love2party.net/ has more info about how backdated =
 the 9.0 Freebsd production version of PF is.=20
 
 I do not think this information is actually relevant.
 
 > The center of the problem is the FreeBSD handbook Security section of =
 PF had links to the PF firewall documentation of the OpenBSD handbook. =
 At OpenBSD version 4.7 their PF firewall had a major rewrite changing =
 the rule syntax for how NAT rules are coded and how their FTP proxy =
 rules were to be coded. The current OpenBSD version is 5.0 with 5.1 =
 going to be released soon. The OpenBSD handbook PF NAT section got =
 updated at version 4.7 with PF contents describing their new NAT rule =
 syntax, so the links in the FreeBSD handbook for PF firewall no longer =
 matched the out dated [4.5] version included in FreeBSD 9.0.=20
 
 I think the links are there for demonstration purposes, you might =
 suggest to remove them if the information is hurting our users.
 
 > John Ferrell=82s solution to this was to delete all the verbiage and =
 links to the OpenBSD PF section of the OpenBSD handbook including the =
 sample rule set that was in the FreeBSD handbook PF section. This was a =
 major error in judgment on his part.
 
 Dont do things like this.
 
 > All that was needed was an additional statement in the FreeBSD =
 handbook security/PF section saying =84FreeBSD 9.0 is running a outdated =
 version of PF [4.5], at PF version [4.7] the syntax of the NAT and =
 ftp-proxy rule changed. The reader should keep in mind the below links =
 reference the OpenBSD 5.0 version of PF, but the sample PF rules shown =
 below do match the version of PF [4.5] included with FreeBSD 9.0. Then =
 add a comment to the NAT rule in the sample rules saying this is the =
 syntax for NAT usage in versions earlier than version 4.7 and then have =
 the new NAT rule with comment for version 4.7 and newer. Them when =
 FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or =
 5.1 the links in the FreeBSD handbook would automatically become =
 meaningful.=20
 
 It's not an outdated version, it's the version we use. That the source =
 had continued development and made changes doesn't make it outdated on =
 our end. There are active maintainers, Ermal for example
 is doing work on pf and there are efforts on going to a newer version.
 
 > I suggest the online FreeBSD handbook, have the security/PF section =
 restored to its previous condition and the above changes made to it=82s =
 content and that this is done before Freebsd 8.3 is released.
 
 That wont happen. You are too late for that.
 
 I'd suggest that you create an unified diff containing the information =
 you suggest to include, then someone can review it and commit it if =
 needed. if not, then it wont change.
 In addition: please consider discussing this on the doc@ mailinglist so =
 that you can actually get a consensus on how to proceed with this, =
 instead of just blindly filing a PR and attacking
 people with your fogged judgement.
 
 Thank you^2.
 
 --=20
 /"\   With kind regards,			| remko@elvandar.org
 \ /   Remko Lodder			| remko@FreeBSD.org
 X    FreeBSD					| =
 http://www.evilcoder.org
 / \   The Power to Serve		| Quis custodiet ipsos custodes
 
State-Changed-From-To: suspended->closed 
State-Changed-By: crees 
State-Changed-When: Wed Apr 18 18:45:21 UTC 2012 
State-Changed-Why:  
After discussing with another developer, we have agreed that this would 
be much better discussed on a mailing list.  Please try to keep personal 
attacks to a minimum and stick to technical details. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167056 

From: Mark Linimon <linimon@lonesome.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from
 OpenBSD 4.5
Date: Sat, 21 Apr 2012 00:45:44 -0500

 ----- Forwarded message from "Peter N. M. Hansteen" <peter@bsdly.net> -----
 
 Date: Wed, 18 Apr 2012 20:56:34 +0200
 From: "Peter N. M. Hansteen" <peter@bsdly.net>
 To: remko@FreeBSD.org
 Cc: freebsd-doc@FreeBSD.org, fbsd8@a1poweruser.com
 Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section,
 	PF from OpenBSD 4.5
 
 remko@FreeBSD.org writes:
 
 > Awaiting consensus and/or patches.
 
 I won't guarantee that http://bsdly.net/~peter/freebsd/fw.diff still
 applies cleanly (dated 15 November 2006), but it's there to be taken and
 processed by anybody who feels the urge for more PF content in that
 chapter of the FreeBSD Handbook.  The text is all mine, taken from the
 online tutorial at http://home.nuug.no/~peter/pf/ (also referenced in
 the diff), which has both pre-4.7 and post-4.7 syntax where the two
 differ and is, as always, BSD licensed.
 
 It may also be worth mentioning that The Book of PF, 2nd edition has
 both pre- and post-4.7 material. That book did not yet exist when I made
 the patch, but a reference to it might be appropriate to mention it in
 the PF section of the handbook as possible resource, say by way of a
 reference to the book's home page (http://nostarch.com/pf2.htm) or
 somesuch.
 
 - Peter
 -- 
 Peter N. M. Hansteen, member of the first RFC 1149 implementation team
 http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
 "Remember to set the evil bit on all malicious network traffic"
 delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
 
 ----- End forwarded message -----

From: Mark Linimon <linimon@lonesome.com>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from
 OpenBSD 4.5
Date: Sat, 21 Apr 2012 00:46:15 -0500

 ----- Forwarded message from John Ferrell <jdferrell3@gmail.com> -----
 
 Date: Fri, 20 Apr 2012 23:09:40 -0400
 From: John Ferrell <jdferrell3@gmail.com>
 To: freebsd-doc@freebsd.org
 Subject: Re: docs/167056: ERROR Handbook 9.0, firewall section, PF from
 	OpenBSD 4.5
 
 I am the John Ferrell that Joe is refering to.  As Remko noted, the patch
 I submitted did not remove any rules--there were no example rules in the 
 document at the time.  The patch was commited in May 2008.
 
 I suspect that when the rules were removed from the handbook it was because 
 the sample rules included with FreeBSD (/usr/share/examples/pf) and the man 
 pages cover many different scenarios.  
  
 >  All that was needed was an additional statement in the FreeBSD =
 >  handbook security/PF section saying =84FreeBSD 9.0 is running a outdated =
 >  version of PF [4.5], at PF version [4.7] the syntax of the NAT and =
 >  ftp-proxy rule changed. The reader should keep in mind the below links =
 >  reference the OpenBSD 5.0 version of PF, but the sample PF rules shown =
 >  below do match the version of PF [4.5] included with FreeBSD 9.0. Then =
 >  add a comment to the NAT rule in the sample rules saying this is the =
 >  syntax for NAT usage in versions earlier than version 4.7 and then have =
 >  the new NAT rule with comment for version 4.7 and newer. Them when =
 >  FreeBSD finally updates to the current version of OpenBSD PF ie:5.0 or =
 >  5.1 the links in the FreeBSD handbook would automatically become =
 >  meaningful.=20
 
 I agree, it should be made more clear that OpenBSD's PF syntax differs from
 that of FreeBSD's.  If no one is working on this I'll be glad to submit a 
 patch.
 
 John
 
 ----- End forwarded message -----
>Unformatted:
