diff options
author | Benedict Reuschling <bcr@FreeBSD.org> | 2023-12-29 12:05:52 +0000 |
---|---|---|
committer | Benedict Reuschling <bcr@FreeBSD.org> | 2023-12-29 12:05:52 +0000 |
commit | f0950bd41a500237aaf3a5890f6b1ebe916db5dc (patch) | |
tree | 7a29961ccdb8cef4c20da3f9148d759c92db05e8 | |
parent | ff04d7b9f029e284db33e90cc612c743c36e9df2 (diff) | |
download | doc-f0950bd41a.tar.gz doc-f0950bd41a.zip |
Whitespace fixes at the end of line
-rw-r--r-- | documentation/content/en/articles/filtering-bridges/_index.adoc | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/documentation/content/en/articles/filtering-bridges/_index.adoc b/documentation/content/en/articles/filtering-bridges/_index.adoc index 5452add1bc..1ef6adc085 100644 --- a/documentation/content/en/articles/filtering-bridges/_index.adoc +++ b/documentation/content/en/articles/filtering-bridges/_index.adoc @@ -168,7 +168,7 @@ If so, the next step is to add the `net.link.ether.bridge._[blah]_=_[blah]_` por Now it is time to create your own file with custom firewall rules, to secure the inside network. There will be some complication in doing this because not all of the firewall functionalities are available on bridged packets. -Furthermore, there is a difference between the packets that are in the process of being forwarded and packets that are being received by the local machine. +Furthermore, there is a difference between the packets that are in the process of being forwarded and packets that are being received by the local machine. In general, incoming packets are run through the firewall only once, not twice as is normally the case; in fact they are filtered only upon receipt, so rules that use `out` or `xmit` will never match. Personally, I use `in via` which is an older syntax, but one that has a sense when you read it. Another limitation is that you are restricted to use only `pass` or `drop` commands for packets filtered by a bridge. @@ -271,12 +271,12 @@ Note that for "relay" and "ns" to work, name service lookups must work _before_ This is an example of making sure that you set the IP on the correct network card. Alternatively it is possible to specify the IP address instead of the host name (required if the machine is IP-less). -People that are used to setting up firewalls are probably also used to either having a `reset` or a `forward` rule for ident packets (TCP port 113). +People that are used to setting up firewalls are probably also used to either having a `reset` or a `forward` rule for ident packets (TCP port 113). Unfortunately, this is not an applicable option with the bridge, so the best thing is to simply pass them to their destination. As long as that destination machine is not running an ident daemon, this is relatively harmless. The alternative is dropping connections on port 113, which creates some problems with services like IRC (the ident probe must timeout). -The only other thing that is a little weird that you may have noticed is that there is a rule to let the bridge machine speak, and another for internal hosts. +The only other thing that is a little weird that you may have noticed is that there is a rule to let the bridge machine speak, and another for internal hosts. Remember that this is because the two sets of traffic will take different paths through the kernel and into the packet filter. The inside net will go through the bridge, while the local machine will use the normal IP stack to speak. Thus the two rules to handle the different cases. |