From bdavis@house.so14k.com  Fri Jan 21 12:32:23 2005
Return-Path: <bdavis@house.so14k.com>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id EE73E16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2005 12:32:23 +0000 (GMT)
Received: from ender.liquidneon.com (ender.liquidneon.com [64.78.150.163])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5BCE743D48
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2005 12:32:23 +0000 (GMT)
	(envelope-from bdavis@house.so14k.com)
Received: from localhost (localhost [127.0.0.1])
	by ender.liquidneon.com (Postfix) with ESMTP id B31EF43E5
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2005 05:32:20 -0700 (MST)
Received: from ender.liquidneon.com ([127.0.0.1])
 by localhost (ender.liquidneon.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 93280-01 for <FreeBSD-gnats-submit@freebsd.org>;
 Fri, 21 Jan 2005 05:32:19 -0700 (MST)
Received: from mccaffrey.house.so14k.com (gw.house.so14k.com [216.87.87.128])
	by ender.liquidneon.com (Postfix) with ESMTP id 044AA43B0
	for <FreeBSD-gnats-submit@freebsd.org>; Fri, 21 Jan 2005 05:32:18 -0700 (MST)
Received: by mccaffrey.house.so14k.com (Postfix, from userid 1001)
	id 88022E7B; Fri, 21 Jan 2005 05:32:18 -0700 (MST)
Message-Id: <20050121123218.88022E7B@mccaffrey.house.so14k.com>
Date: Fri, 21 Jan 2005 05:32:18 -0700 (MST)
From: Brad Davis <so14k@so14k.com>
Reply-To: Brad Davis <so14k@so14k.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Misc punctuation fixes for the FW chapter.
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         76533
>Category:       docs
>Synopsis:       Misc punctuation fixes for the FW chapter.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    keramida
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jan 21 12:40:26 GMT 2005
>Closed-Date:    Fri Jan 21 14:34:08 GMT 2005
>Last-Modified:  Fri Jan 21 14:34:08 GMT 2005
>Originator:     Brad Davis
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
>Environment:
System: FreeBSD mccaffrey.house.so14k.com 4.10-STABLE FreeBSD 4.10-STABLE #0: Fri May 28 08:02:41 MDT 2004 root@mccaffrey.house.so14k.com:/usr/obj/usr/src/sys/MCCAFFREY i386
>Description:
	1. Remove a space before a period.
	2. Remove a space before a comma.
	3. s/2/two/
	4. Fix spacing around a parentheses.
	5. s/dns/DNS/
	6. Add note about using a cronjob to flush the rules every so often to prevent locking oneself out.
	7. Add missing beginning.
	8. Remove another space before a period.
	9. Add a missing period
	10. s/2/two/
	11. Ack! Remove the XXXBLAH I left and replace it with something useful.
	12. s/\./:/
	13. Add a missing :
	14. Fix wording.
>How-To-Repeat:
>Fix:
--- doc-ori/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml       Wed Jan 19 07:01:03 2005
+++ doc/en_US.ISO8859-1/books/handbook/firewalls/chapter.sgml   Fri Jan 21 05:24:47 2005
@@ -336,8 +336,8 @@
       method see: <ulink
       url="http://www.obfuscation.org/ipf/ipf-howto.html#TOC_1"></ulink>
       and <ulink
-      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
-      .</para>
+      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.
+      </para>
 
     <para>The IPF FAQ is at <ulink
       url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
@@ -350,8 +350,8 @@
         ipfilter_enable="YES"</literal> is used. The loadable
         module was created with logging enabled and the <literal>default
         pass all</literal> options. You do not need to compile IPF into
-        the &os; kernel just to change the default to <literal>block all
-        </literal>, you can do that by just coding a block all rule at
+        the &os; kernel just to change the default to <literal>block
+        all</literal>, you can do that by just coding a block all rule at
         the end of your rule set.</para>
     </sect2>
 
@@ -521,8 +521,8 @@
        <title>IPMON</title>
        <para>In order for <command>ipmon</command> to work properly, the
          kernel option IPFILTER_LOG must be turned on. This command has
-         2 different modes that it can be used in. Native mode is the default
-         mode when you type the command on the command line without the
+         two different modes that it can be used in. Native mode is the
+         default mode when you type the command on the command line without the
          <option>-D</option> flag.</para>
 
        <para>Daemon mode is for when you want to have a continuous
@@ -595,11 +595,12 @@
        <para>To activate the changes to <filename>/etc/syslog.conf
          </filename> you can reboot or bump the syslog task into
          re-reading <filename>/etc/syslog.conf</filename> by running
-         <command>/etc/rc.d/syslogd restart</command> (<command>
-         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
-         identifier) by listing the tasks with the <command>ps -ax</command>
-         command. Find syslog in the display and the PID is the number
-         in the left column).</para>
+         <command>/etc/rc.d/syslogd restart</command>
+         (<command>kill -HUP <replaceable>PID</replaceable></command>
+         in &os; 4.x. You get the PID (i.e. process identifier) by
+         listing the tasks with the <command>ps -ax</command> command.
+         Find syslog in the display and the PID is the number in the
+         left column).</para>
 
        <para>Do not forget to change <filename>/etc/newsyslog.conf
          </filename> to rotate the new log you just created above.
@@ -708,7 +709,7 @@
 <programlisting>############# Start of IPF rules script ########################
 
 oif="dc0"            # name of the outbound interface
-odns="192.0.2.11"    # ISP's dns server IP address
+odns="192.0.2.11"    # ISP's DNS server IP address
 myip="192.0.2.7"     # my static IP address from ISP
 ks="keep state"
 fks="flags S keep state"
@@ -809,7 +810,10 @@
        <note>
          <para>Warning, when working with the firewall rules, always,
            always do it from the root console of the system running the
-           firewall or you can end up locking your self out.</para>
+           firewall or you can end up locking your self out. Or setup a
+           cronjob to flush the Firewall rules say every 5 minutes.
+           (This might not be acceptable for a corporate firewall, but
+           should be for a home firewall.)</para>
        </note>
      </sect2>
 
@@ -820,7 +824,7 @@
          rule wins</quote> logic. For the complete legacy rule syntax
          description see the &man.ipf.8; manual page.</para>
 
-       <para><literal>#</literal> is used to mark the start of a comment and may appear at
+       <para>A <literal>#</literal> is used to mark the start of a comment and may appear at
          the end of a rule line or on its own line. Blank lines are
          ignored.</para>
 
@@ -1444,7 +1448,7 @@
 
       <para><acronym>NAT</acronym> rules are loaded by using the <command>ipnat</command>
         command. Typically the <acronym>NAT</acronym> rules are stored
-        in <filename>/etc/ipnat.rules </filename>. See &man.ipnat.1
+        in <filename>/etc/ipnat.rules</filename>. See &man.ipnat.1
         for details.</para>
 
       <para>When changing the <acronym>NAT</acronym> rules after
@@ -1535,7 +1539,7 @@
       <title>Enabling IP<acronym>NAT</acronym></title>
 
       <para>To enable IP<acronym>NAT</acronym> add these statements to
-        <filename>/etc/rc.conf</filename></para>
+        <filename>/etc/rc.conf</filename>.</para>
 
       <para>To enable your machine to route traffic between
         interfaces:</para>
@@ -1561,12 +1565,14 @@
         becomes a resource problem that may cause problems with the same
         port numbers being used many times across many
         <acronym>NAT</acronym>ed LAN PC's, causing collisions. There
-        are 2 ways to relieve this resource problem.</para>
+        are two ways to relieve this resource problem.</para>
 
       <sect3>
         <title>Assigning Ports to Use</title>
         <!-- What does it mean ? Is there something missing ?-->
-        <para>XXXBLAH</para>
+        <!-- XXXBLAH <- Apparently you can't start a sect
+             with a <programlisting> tag ?-->
+        <para>A normal NAT rule would look like:</para>
 
         <programlisting>map dc0 192.168.1.0/24 -> 0.32</programlisting>
 
@@ -1672,12 +1678,12 @@
 
         <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
-        <para>This rule handles the FTP traffic from the gateway.</para>
+        <para>This rule handles the FTP traffic from the gateway:</para>
 
         <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
 
         <para>This rule handles all non-FTP traffic from the internal
-          LAN.</para>
+          LAN:</para>
 
A         <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
 
@@ -1701,7 +1707,7 @@
           <acronym>NAT</acronym> FTP proxy is used.</para>
 
         <para>Without the FTP Proxy you will need the following three
-          rules</para>
+          rules:</para>
 
         <programlisting># Allow out LAN PC client FTP to public Internet
 # Active and passive modes
@@ -1724,14 +1730,13 @@
           logged coming in on port 21. The <acronym>NAT</acronym>
           FTP/proxy appears to remove its temp rules prematurely,
           before receiving the response from the remote FTP server
-          acknowledging the close.  Posted problem report to ipf
-          mailing list.</para>
+          acknowledging the close. A problem report was posted to the
+          IPF mailing list.</para>
 
-        <para>Solution is to add filter rule like this one to get rid
+        <para>The solution is to add filter rule like this one to get rid
           of these unwanted log messages or do nothing and ignore FTP
-          inbound error messages in your log. Not like you do FTP
-          session to the public Internet all the time, so this is not
-          a big deal.</para>
+          inbound error messages in your log. Most people don't do
+          outbound FTP too often.</para>
 
         <programlisting>Block in quick on rl0 proto tcp from any to any port = 21</programlisting>
       </sect3>

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-doc->keramida 
Responsible-Changed-By: keramida 
Responsible-Changed-When: Fri Jan 21 13:32:53 GMT 2005 
Responsible-Changed-Why:  
I will work with Brad on this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76533 

From: Giorgos Keramidas <keramida@freebsd.org>
To: Brad Davis <so14k@so14k.com>
Cc: bug-followup@freebsd.org
Subject: Re: docs/76533: Misc punctuation fixes for the FW chapter.
Date: Fri, 21 Jan 2005 15:34:38 +0200

 Hi Brad,
 
 Impressive amount of cleanup.  Thanks :-)
 
 Just a few comments, and an alternative patch that I may commit if you
 don't object to any of the changes I made...
 
 > -      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
 > -      .</para>
 > +      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.
 > +      </para>
 
 Closing tags should cuddle to the previous line.  Whitespace at the
 end of the enclosed element is not really necessary and *may* be
 harmful if the SGML conversion process doesn't handle them correctly.
 
 > -         2 different modes that it can be used in. Native mode is the default
 > -         mode when you type the command on the command line without the
 > +         two different modes that it can be used in. Native mode is the
 > +         default mode when you type the command on the command line without the
 
 Whitespace changes should *never* be mixed with content changes in the
 same patch chunk.  Otherwise, the change s/2/two/ is fine here :-)
 
 >         <para>To activate the changes to <filename>/etc/syslog.conf
 >           </filename> you can reboot or bump the syslog task into
 >           re-reading <filename>/etc/syslog.conf</filename> by running
 > -         <command>/etc/rc.d/syslogd restart</command> (<command>
 > -         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
 > -         identifier) by listing the tasks with the <command>ps -ax</command>
 > -         command. Find syslog in the display and the PID is the number
 > -         in the left column).</para>
 > +         <command>/etc/rc.d/syslogd restart</command>
 > +         (<command>kill -HUP <replaceable>PID</replaceable></command>
 > +         in &os; 4.x. You get the PID (i.e. process identifier) by
 > +         listing the tasks with the <command>ps -ax</command> command.
 > +         Find syslog in the display and the PID is the number in the
 > +         left column).</para>
 
 Missing closing parenthesis in the 4.X suggestion.  This paragraph is
 also a bit strange.  It goes into an excessive amount of trouble to
 explain what a PID is and suggest `ps -ax' for 4.X releases.  The
 `killall' command is simpler IMHO.
 
 %         <para>To activate the changes to <filename>/etc/syslog.conf
 %           </filename> you can reboot or bump the syslog task into
 %           re-reading <filename>/etc/syslog.conf</filename> by running
 % -         <command>/etc/rc.d/syslogd restart</command> (<command>
 % -         kill -HUP <replaceable>PID</replaceable></command> in &os; 4.x. You get the PID (i.e. process
 % -         identifier) by listing the tasks with the <command>ps -ax</command>
 % -         command. Find syslog in the display and the PID is the number
 % -         in the left column).</para>
 % +         <command>/etc/rc.d/syslogd restart</command>
 % +         (<command>killall -HUP <replaceable>syslogd</replaceable></command> in &os; 4.X).</para>
 
 >           <para>Warning, when working with the firewall rules, always,
 >             always do it from the root console of the system running the
 > -           firewall or you can end up locking your self out.</para>
 > +           firewall or you can end up locking your self out. Or setup a
 > +           cronjob to flush the Firewall rules say every 5 minutes.
 > +           (This might not be acceptable for a corporate firewall, but
 > +           should be for a home firewall.)</para>
 
 There is a capitalized "Firewall" word in the middle of a sentence.  The
 two first sentences use 'or' too often and 'might' seems a bit funny
 near the beginning of the parenthesized sentence.  The parentheses are
 also a bit redundant, IMHO.  How about this, instead?
 
 %           <para>Warning, when working with the firewall rules, always,
 % -           always do it from the root console of the system running the
 % -           firewall or you can end up locking your self out.</para>
 % +           always do it on the console of the system running the
 % +           firewall or you can end up locking your self out.
 % +           Alternatively, you may setup a cronjob to flush the
 % +           firewall rules say every 5 minutes.
 % +           This may not be acceptable for a corporate firewall,
 % +           but should be ok for a home firewall.</para>
 
 > @@ -820,7 +824,7 @@
 >           rule wins</quote> logic. For the complete legacy rule syntax
 >           description see the &man.ipf.8; manual page.</para>
 >
 > -       <para><literal>#</literal> is used to mark the start of a comment and may appear at
 > +       <para>A <literal>#</literal> is used to mark the start of a comment and may appear at
 
 I'd probably write this as:
 
 	<para>A <literal>#</literal> character...
 
 > -        <para>Solution is to add filter rule like this one to get rid
 > +        <para>The solution is to add filter rule like this one to get rid
 >            of these unwanted log messages or do nothing and ignore FTP
 > -          inbound error messages in your log. Not like you do FTP
 > -          session to the public Internet all the time, so this is not
 > -          a big deal.</para>
 > +          inbound error messages in your log. Most people don't do
 > +          outbound FTP too often.</para>
 
 "to add filter rule" sounds a bit funny and "don't" is a contraction
 that we will have to remove some time in the future anyway.  I locally
 changed this paragraph to:
 
 % -        <para>Solution is to add filter rule like this one to get rid
 % +        <para>The solution is to add a filter rule to get rid
 %            of these unwanted log messages or do nothing and ignore FTP
 % -          inbound error messages in your log. Not like you do FTP
 % -          session to the public Internet all the time, so this is not
 % -          a big deal.</para>
 % +          inbound error messages in your log. Most people do not use
 % +          outbound FTP too often.</para>
 
 A complete copy of the modified patch (including some more fixes of
 numbers smaller than 10 that are spelled out as words) can be found at:
 
 http://people.freebsd.org/~keramida/files/brad-firewall.patch
 
 I'd be glad if you reviewed it, before I commit anything.
 
 - Giorgos
 

From: Brad Davis <so14k@so14k.com>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: docs/76533: Misc punctuation fixes for the FW chapter.
Date: Fri, 21 Jan 2005 07:01:51 -0700

 	From: 	  so14k@so14k.com
 	Subject: 	Re: docs/76533: Misc punctuation fixes for the FW chapter.
 	Date: 	January 21, 2005 6:59:40 AM MST
 	To: 	  keramida@freebsd.org
 
 
 On Jan 21, 2005, at 6:34 AM, Giorgos Keramidas wrote:
 
 > Hi Brad,
 >
 > Impressive amount of cleanup.  Thanks :-)
 >
 > Just a few comments, and an alternative patch that I may commit if you
 > don't object to any of the changes I made...
 >
 >> -      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>
 >> -      .</para>
 >> +      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.
 >> +      </para>
 >
 > Closing tags should cuddle to the previous line.  Whitespace at the
 > end of the enclosed element is not really necessary and *may* be
 > harmful if the SGML conversion process doesn't handle them correctly.
 
 I'm kind of confused about which part you are referring to here..
 
 
 >
 >> -         2 different modes that it can be used in. Native mode is 
 >> the default
 >> -         mode when you type the command on the command line without 
 >> the
 >> +         two different modes that it can be used in. Native mode is 
 >> the
 >> +         default mode when you type the command on the command line 
 >> without the
 >
 > Whitespace changes should *never* be mixed with content changes in the
 > same patch chunk.  Otherwise, the change s/2/two/ is fine here :-)
 >
 >>         <para>To activate the changes to <filename>/etc/syslog.conf
 >>           </filename> you can reboot or bump the syslog task into
 >>           re-reading <filename>/etc/syslog.conf</filename> by running
 >> -         <command>/etc/rc.d/syslogd restart</command> (<command>
 >> -         kill -HUP <replaceable>PID</replaceable></command> in &os; 
 >> 4.x. You get the PID (i.e. process
 >> -         identifier) by listing the tasks with the <command>ps 
 >> -ax</command>
 >> -         command. Find syslog in the display and the PID is the 
 >> number
 >> -         in the left column).</para>
 >> +         <command>/etc/rc.d/syslogd restart</command>
 >> +         (<command>kill -HUP <replaceable>PID</replaceable></command>
 >> +         in &os; 4.x. You get the PID (i.e. process identifier) by
 >> +         listing the tasks with the <command>ps -ax</command> 
 >> command.
 >> +         Find syslog in the display and the PID is the number in the
 >> +         left column).</para>
 >
 > Missing closing parenthesis in the 4.X suggestion.  This paragraph is
 > also a bit strange.  It goes into an excessive amount of trouble to
 > explain what a PID is and suggest `ps -ax' for 4.X releases.  The
 > `killall' command is simpler IMHO.
 >
 > %         <para>To activate the changes to <filename>/etc/syslog.conf
 > %           </filename> you can reboot or bump the syslog task into
 > %           re-reading <filename>/etc/syslog.conf</filename> by running
 > % -         <command>/etc/rc.d/syslogd restart</command> (<command>
 > % -         kill -HUP <replaceable>PID</replaceable></command> in &os; 
 > 4.x. You get the PID (i.e. process
 > % -         identifier) by listing the tasks with the <command>ps 
 > -ax</command>
 > % -         command. Find syslog in the display and the PID is the 
 > number
 > % -         in the left column).</para>
 > % +         <command>/etc/rc.d/syslogd restart</command>
 > % +         (<command>killall -HUP 
 > <replaceable>syslogd</replaceable></command> in &os; 4.X).</para>
 >
 >>           <para>Warning, when working with the firewall rules, always,
 >>             always do it from the root console of the system running 
 >> the
 >> -           firewall or you can end up locking your self out.</para>
 >> +           firewall or you can end up locking your self out. Or 
 >> setup a
 >> +           cronjob to flush the Firewall rules say every 5 minutes.
 >> +           (This might not be acceptable for a corporate firewall, 
 >> but
 >> +           should be for a home firewall.)</para>
 >
 > There is a capitalized "Firewall" word in the middle of a sentence.  
 > The
 > two first sentences use 'or' too often and 'might' seems a bit funny
 > near the beginning of the parenthesized sentence.  The parentheses are
 > also a bit redundant, IMHO.  How about this, instead?
 >
 > %           <para>Warning, when working with the firewall rules, 
 > always,
 > % -           always do it from the root console of the system running 
 > the
 > % -           firewall or you can end up locking your self out.</para>
 > % +           always do it on the console of the system running the
 > % +           firewall or you can end up locking your self out.
 > % +           Alternatively, you may setup a cronjob to flush the
 > % +           firewall rules say every 5 minutes.
 > % +           This may not be acceptable for a corporate firewall,
 > % +           but should be ok for a home firewall.</para>
 >
 >> @@ -820,7 +824,7 @@
 >>           rule wins</quote> logic. For the complete legacy rule syntax
 >>           description see the &man.ipf.8; manual page.</para>
 >>
 >> -       <para><literal>#</literal> is used to mark the start of a 
 >> comment and may appear at
 >> +       <para>A <literal>#</literal> is used to mark the start of a 
 >> comment and may appear at
 >
 > I'd probably write this as:
 >
 > 	<para>A <literal>#</literal> character...
 >
 >> -        <para>Solution is to add filter rule like this one to get rid
 >> +        <para>The solution is to add filter rule like this one to 
 >> get rid
 >>            of these unwanted log messages or do nothing and ignore FTP
 >> -          inbound error messages in your log. Not like you do FTP
 >> -          session to the public Internet all the time, so this is not
 >> -          a big deal.</para>
 >> +          inbound error messages in your log. Most people don't do
 >> +          outbound FTP too often.</para>
 >
 > "to add filter rule" sounds a bit funny and "don't" is a contraction
 > that we will have to remove some time in the future anyway.  I locally
 > changed this paragraph to:
 >
 > % -        <para>Solution is to add filter rule like this one to get 
 > rid
 > % +        <para>The solution is to add a filter rule to get rid
 > %            of these unwanted log messages or do nothing and ignore 
 > FTP
 > % -          inbound error messages in your log. Not like you do FTP
 > % -          session to the public Internet all the time, so this is 
 > not
 > % -          a big deal.</para>
 > % +          inbound error messages in your log. Most people do not use
 > % +          outbound FTP too often.</para>
 >
 > A complete copy of the modified patch (including some more fixes of
 > numbers smaller than 10 that are spelled out as words) can be found at:
 >
 > http://people.freebsd.org/~keramida/files/brad-firewall.patch
 >
 > I'd be glad if you reviewed it, before I commit anything.
 >
 I think it looks great. :) Thanks for your assistance. I feel kind of 
 responsible for this chapter since I did a lot of the work to bring it 
 into the tree in the sad state it is.
 
 How important is it to stick to the less than 72 characters per line 
 rule?
 
 
 Regards,
 Brad Davis
 
State-Changed-From-To: open->closed 
State-Changed-By: keramida 
State-Changed-When: Fri Jan 21 14:33:14 GMT 2005 
State-Changed-Why:  
Committed.  Thanks :) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76533 
>Unformatted:
