From patchwork Tue Apr  7 15:07:18 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?=
 <peter.mueller@ipfire.org>
X-Patchwork-Id: 2916
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
	 client-signature ECDSA (P-384) client-digest SHA384)
	(Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 48xW3l3Wcgz3yBn
	for <patchwork@web04.haj.ipfire.org>; Tue,  7 Apr 2020 15:07:31 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384)
	 client-signature ECDSA (P-384))
	(Client CN "mail02.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 48xW3j09kpz25N;
	Tue,  7 Apr 2020 15:07:28 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 48xW3f6P7Vz2ybT;
	Tue,  7 Apr 2020 15:07:26 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384
 client-signature ECDSA (P-384) client-digest SHA384)
 (Client CN "mail01.haj.ipfire.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mail02.haj.ipfire.org (Postfix) with ESMTPS id 48xW3f18zgz2xm4
 for <development@lists.ipfire.org>; Tue,  7 Apr 2020 15:07:26 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature ECDSA (P-384))
 (Client did not present a certificate)
 by mail01.ipfire.org (Postfix) with ESMTPSA id 48xW3c0lHlz11y
 for <development@lists.ipfire.org>; Tue,  7 Apr 2020 15:07:23 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003ed25519; t=1586272045;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=GtRU9IyWRTjqwKq7xUM+4lBqHImUkIPImsgbVafvfo0=;
 b=B6BgjxTJ50VhcPL8Z1K9NxkzwWFmb2k4sGJ2pZAC0pvdYexvFLou3lMTFdRI2ad4iFz0Xc
 edcl8SbPktiDVzAQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
 t=1586272045;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=GtRU9IyWRTjqwKq7xUM+4lBqHImUkIPImsgbVafvfo0=;
 b=n+wwWHgN6IVDev/jPi3cfvxRgLK2/DQA0eVJZXYJE54NQr5m3VmtGlrHJMrwmzRklExKRU
 iDdfwoFLMzcuUxoneVTQGjaP5p+WXtRqA7J48vX6jlYXh51sKo85tgkfzeI6b4TSMrcbYb
 LiMNPBkIUyC6WKgCmOQPzbaZ3+g6N+omBxa0jaPRwUxjyiU1KzX8WfcIx78E7le7Zki2XM
 Vh9SETXBoTj3n3rPlnD2aeyKTn3HPBTyuydrINO0sX9tu4C9pGkSdP254Q1d/6GeAskl8s
 fLDZWj5R5RgfPkid3vE/xF8eJCv2baa2MC15zAIPUEF7HoX8N6tARK5E2J9vYQ==
To: "IPFire: Development-List" <development@lists.ipfire.org>
From: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@ipfire.org>
Subject: [PATCH] firewall initscript: slightly improve comments
Message-ID: <52fede12-5ee7-9e76-8eda-eb8dfeff7b3d@ipfire.org>
Date: Tue, 7 Apr 2020 17:07:18 +0200
MIME-Version: 1.0
Content-Language: en-US
Authentication-Results: mail01.ipfire.org;
 auth=pass smtp.mailfrom=peter.mueller@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
 <mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <http://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
 <mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

This patch corrects some typos and does not introduce functional changes.

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/initscripts/system/firewall | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index ab144ea18..00512d9fa 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -41,18 +41,18 @@ iptables_init() {
 	iptables -A LOG_REJECT -j REJECT
 
 	# This chain will log, then DROPs packets with certain bad combinations
-	# of flags might indicate a port-scan attempt (xmas, null, etc)
+	# of flags might indicate a port-scan attempt (xmas, null, etc.)
 	iptables -N PSCAN
 	if [ "$DROPPORTSCAN" == "on" ]; then
-		iptables -A PSCAN -p tcp  -m limit --limit 10/second -j LOG --log-prefix "DROP_TCP Scan " -m comment --comment "DROP_TCP PScan"
-		iptables -A PSCAN -p udp  -m limit --limit 10/second -j LOG --log-prefix "DROP_UDP Scan " -m comment --comment "DROP_UDP PScan"
+		iptables -A PSCAN -p tcp  -m limit --limit 10/second -j LOG --log-prefix "DROP_TCP Scan "  -m comment --comment "DROP_TCP PScan"
+		iptables -A PSCAN -p udp  -m limit --limit 10/second -j LOG --log-prefix "DROP_UDP Scan "  -m comment --comment "DROP_UDP PScan"
 		iptables -A PSCAN -p icmp -m limit --limit 10/second -j LOG --log-prefix "DROP_ICMP Scan " -m comment --comment "DROP_ICMP PScan"
 		iptables -A PSCAN -f      -m limit --limit 10/second -j LOG --log-prefix "DROP_FRAG Scan " -m comment --comment "DROP_FRAG PScan"
 	fi
 	iptables -A PSCAN -j DROP -m comment --comment "DROP_PScan"
 
 	# New tcp packets without SYN set - could well be an obscure type of port scan
-	# that's not covered above, may just be a broken windows machine
+	# that's not covered above, may just be a broken Windows machine
 	iptables -N NEWNOTSYN
 	if [ "$DROPNEWNOTSYN" == "on" ]; then
 		iptables -A NEWNOTSYN  -m limit --limit 10/second -j LOG  --log-prefix "DROP_NEWNOTSYN "
@@ -159,7 +159,7 @@ iptables_init() {
 		iptables -t raw -A CONNTRACK -p tcp -j CT --helper amanda
 	fi
 
-	# Fix for braindead ISP's
+	# Fix for braindead ISPs
 	iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
 	# CUSTOM chains, can be used by the users themselves
@@ -180,7 +180,7 @@ iptables_init() {
 	iptables -A FORWARD -j P2PBLOCK
 	iptables -A OUTPUT -j P2PBLOCK
 	
-	# Guardian (IPS) chains
+	# IPS (Guardian) chains
 	iptables -N GUARDIAN
 	iptables -A INPUT -j GUARDIAN
 	iptables -A FORWARD -j GUARDIAN
@@ -196,7 +196,7 @@ iptables_init() {
 	iptables -A FORWARD -i tun+ -j OVPNBLOCK
 	iptables -A FORWARD -o tun+ -j OVPNBLOCK
 
-	# IPS (suricata) chains
+	# IPS (Suricata) chains
 	iptables -N IPS_INPUT
 	iptables -N IPS_FORWARD
 	iptables -N IPS_OUTPUT
@@ -261,7 +261,7 @@ iptables_init() {
 		iptables -A OUTPUT -o "${GREEN_DEV}" -j DHCPGREENOUTPUT
 	fi
 
-	# allow DHCP on BLUE to be turned on/off
+	# Allow DHCP on BLUE to be turned on/off
 	iptables -N DHCPBLUEINPUT
 	iptables -N DHCPBLUEOUTPUT
 	if [ -n "${BLUE_DEV}" ]; then
@@ -438,7 +438,7 @@ iptables_red_up() {
 			iptables -A REDINPUT -p udp --source-port 67 --destination-port 68 -i $IFACE -j ACCEPT
 		fi
 
-		# Outgoing masquerading (don't masqerade IPSEC (mark 50))
+		# Outgoing masquerading (don't masqerade IPsec (mark 50))
 		iptables -t nat -A REDNAT -m mark --mark 50 -o $IFACE -j RETURN
 
 		if [ "${IFACE}" = "${GREEN_DEV}" ]; then