[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [RFR] apf-firewall package



Giuseppe Iuculano wrote:
> apf-firewall for Debian
> -----------------------
> 
> On your first installation of APF it will come pretty bare in the way of
> preconfigured options, this is intentional. The most common issue with many
                       ^
Comma splice -

  preconfigured options. This is intentional: the most common issue with

Also, cut the "many", which makes it sound as if it's a _recurring_
issue with _each_ firewall app.

> firewalls is that they come configured with so many options that a user may
> never use or disable, that it leaves systems riddled with firewall holes.
                      ^
Excess comma.  Also, unclear antecedent for "it", doubled "that",
a slightly odd use of "may"... it's so close, but the more I fiddle
with it the less I like it.  How about a rewrite:

  A default install of APF is intentionally simple. The most common
  issue with firewalls is that they offer so many features that the
  user is unlikely to use or disable but leave holes in the firewall.

> APF comes configured with only a single incoming port
> enabled by default and that is port 22 (SSH)

The "and" is weak... try:

  APF comes configured with only a single incoming port enabled by
  default: port 22 (SSH).
 
> The main APF configuration file is located at /etc/apf-firewall/conf.apf and has
> detailed usage information above all configuration variables.

("conf.apf"?  Really?)

More run-on coordinate clauses 'n' stuff.

  The main APF configuration file, /etc/apf-firewall/conf.apf, has
  detailed usage information above all hte configuration variables.

> The file uses
> integer based values for setting configuration options and they are
> 0 = disabled
> 1 = enabled

Those aren't integer "based", they're integers - or, no, hang on,
they're boolean.

  All options use the boolean values "0" to indicate "disabled" or "1" for
  "enabled".

> DEVEL_MODE
> ----------
> This tells APF to run in a development mode which in short means
> that the firewall will shut itself off every 5 minutes from a cronjob. When

Snip "in short" to make it truer.  Does this mean apf-firewall
includes a cronjob (running every five minutes) that flushes all
rules if it detects a DEVEL_MODE flag in /etc/default/apf-firewall?
That seems an odd approach, but if so:

  This flag in /etc/default/apf-firewall tells APF to run in a
  development mode, in which the firewall will be deactivated by a
  cronjob every 5 minutes.

> When
> you install any version of APF, upgrade or new install, this feature is by
> default enabled to make sure the user does not lock themself out of the
> system with configuration errors.

Normally I'd say to pluralise "the users", "themselves", but the
user has already been referred to in the same sentence as "you", so
don't bother: "you", yourself".

(Wait, so even if I'm keeping the config on a read-only filesystem,
apt-get upgrading to a new Debian point-release with extra l10n will
automatically switch my firewall off?)

> Once you are satisfied that you have the
> firewall configured and operating as intended then you must disable it.
> 
> When you are ready, you should edit /etc/default/apf-firewall and APF will start
> at boot.

If I happen not to want to reboot my server, do I need to also run
"/etc/init.d/apf-firewall start", or is that handled by the cronjob?

  apf-firewall for Debian
  -----------------------

  A default install of APF is intentionally simple. The most common
  issue with firewalls is that they offer so many features that the
  user is unlikely to use or disable but leave holes in the firewall.
         
  APF comes configured with only a single incoming port enabled by
  default: port 22 (SSH).
	          
  The main APF configuration file, /etc/apf-firewall/conf.apf, has
  detailed usage information above all the configuration variables. All
  options use the boolean values "0" to indicate "disabled" or "1" for
  "enabled".
         
  DEVEL_MODE         
  ----------         
  This flag in /etc/default/apf-firewall tells APF to run in a
  development mode, in which the firewall will be deactivated by a
  cronjob every 5 minutes. When you install any version of APF,
  upgrade or new install, this feature is enabled by default to make
  sure you do not lock yourself out of the system with configuration
  errors. Once you are satisfied that you have the firewall configured
  and operating as intended then you must disable it.

  When you are ready, you should edit /etc/default/apf-firewall and
  disable DEVEL_MODE, so that the firewall will continue running once
  started.

-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package


Reply to: