Misc fixes from Chris Pepper, plus additional explainations on

dummynet operation. MFC after: 3 days
svn path=/head/; revision=106072
2002-10-28 07:03:56 +00:00 · 2002-10-28 07:03:56 +00:00 · 4d5fe224c6 · 2020-12-20 02:59:44 +00:00
commit 4d5fe224c6
parent d25beabfca
1 changed files with 183 additions and 186 deletions
--- a/sbin/ipfw/ipfw.8
+++ b/sbin/ipfw/ipfw.8
@ -1,11 +1,6 @@
 .\"
 .\" $FreeBSD$
 .\"
 .de NOIPFW
 .br
 (\\$1 NOT IN IPFW)
 .br
 ..
 .Dd August 13, 2002
 .Dt IPFW 8
 .Os
@ -72,43 +67,29 @@ firewall and the
 traffic shaper in
 .Fx .
 .Pp
 .Bd -ragged -offset XXXX
 .Em NOTE:
-this manual page refers to the newer version of
+this manual page documents the newer version of
 .Nm
-introduced in July 2002, also known as
+introduced in
 .Fx
 CURRENT in July 2002, also known as
 .Nm ipfw2 .
 The commands listed here are a superset of the old
 firewall, which we will call
 .Nm ipfw1
 when it is necessary to distinguish between the two.
 .Pp
 .Nm ipfw2
-is standard in
+is a superset of the old firewall,
 .Fx
 CURRENT, whereas
 .Fx
 STABLE still uses
 .Nm ipfw1
 unless the kernel is compiled with
 .Cm options IPFW2 ,
 and
 .Nm /sbin/ipfw
 and
 .Nm /usr/lib/libalias
 are recompiled with
 .Cm -DIPFW2
 and reinstalled (the same effect can be achieved by adding
 .Cm IPFW2=TRUE
 to
 .Nm /etc/make.conf
 before a buildworld).
 .Pp
 See the
 .Sx IPFW2 ENHANCEMENTS
 Section for a list of features which are not present in
 .Nm ipfw1 .
-This list can also be useful to revise your rules and
+The differences between the two are listed in Section
 .Sx IPFW2 ENHANCEMENTS ,
 which you are encouraged to read to revise older rulesets and possibly
 write them more efficiently.
 See Section
 .Sx USING IPFW2 IN FreeBSD-STABLE
 for instructions on how to run
 .Nm ipfw2
 on
 .Fx
 STABLE.
 .Ed
 .Pp
 An
 .Nm
@ -119,7 +100,7 @@ is made of a list of
 numbered from 1 to 65535.
 Packets are passed to
 .Nm
-in a number of different places in the protocol stack
+from a number of different places in the protocol stack
 (depending on the source and destination of the packet,
 it is possible that
 .Nm
@ -253,15 +234,14 @@ commands in a script
 .Ql sh\ /etc/rc.firewall ) ,
 or by processing a file of many
 .Nm
-rules,
+rules across a remote login session.
 across a remote login session.
 If a
 .Cm flush
 is performed in normal (verbose) mode (with the default kernel
 configuration), it prints a message.
 Because all rules are flushed, the message might not be delivered
 to the login session, causing the remote login session to be closed
-and the remainder of the ruleset is not processed.
+and the remainder of the ruleset to not be processed.
 Access to the console would then be required to recover.
 .It Fl S
 While listing rules, show the
@ -271,7 +251,7 @@ If this flag is not specified, disabled rules will not be
 listed.
 .It Fl s Op Ar field
 While listing pipes, sort according to one of the four
-counters (total and current packets or bytes).
+counters (total or current packets or bytes).
 .It Fl t
 While listing, show last match timestamp.
 .El
@ -324,17 +304,13 @@ The
 and
 .Cm queue
 commands are used to configure the traffic shaper, as shown in the
-.Sx TRAFFIC SHAPER CONFIGURATION
+.Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
 Section below.
 .Sh PACKET FLOW
-.Nm
+A packet is checked against the active ruleset in multiple places
-can be invoked from multiple places in the protocol stack,
+in the protocol stack, under control of several sysctl variables.
-under control of several system parameters,
+These places and variables are shown below, and it is important to
-and it is important to understand when this occurs in order to
+have this picture in mind in order to design a correct ruleset.
 design a proper ruleset. The places where
 .Nm
 is invoked are listed below, together with the sysctl variables
 which control its invocation.
 .Bd -literal -offset indent
      ^	    to upper layers   V
      |                       |
@ -354,10 +330,11 @@ As can be noted from the above picture, the number of
 times the same packet goes through the firewall can
 vary between 0 and 4 depending on packet source and
 destination, and system configuration.
-In each of these places, the packet is passed to
+.Pp
-.Nm
+Note that as packets flow through the stack, headers can be
-with all (and only) the fields that belong to that level.
+stripped or added to it, and so they may or may not be available
-That is, incoming packets will include the MAC header when
+for inspection.
 E.g., incoming packets will include the MAC header when
 .Nm
 is invoked from
 .Cm ether_demux() ,
@ -365,23 +342,20 @@ but the same packets will have the MAC header stripped off when
 .Nm
 is invoked from
 .Cm ip_input() .
-.br
+.Pp
-The complete ruleset is always used,
+Also note that each packet is always checked against the complete ruleset,
-irrespective of the place where
+irrespective of the place where the check occurs, or the source of the packet.
 .Nm
 is invoked, or the source of the packet.
 If a rule contains some match patterns or actions which are not valid
-for the place of invokation (e.g. trying
+for the place of invocation (e.g. trying to match a MAC header within
 to match a MAC header when
 .Nm
 is called from
 .Cm ip_input()
-) the match pattern will not match. However, a
+), the match pattern will not match, but a
 .Cm not
-operator in front of such patterns will cause the pattern to
+operator in front of such patterns
 .Em will
 cause the pattern to
 .Em always
-match on those packets, which might cause undesired results.
+match on those packets.
-It is thus responsibility of
+It is thus the responsibility of
 the programmer, if necessary, to write a suitable ruleset to
 differentiate among the possible places.
 .Cm skipto
@ -440,7 +414,7 @@ window
 .It ICMP types
 for ICMP packets
 .It User/group ID
-When the packet can be associate to a local socket.
+When the packet can be associated with a local socket.
 .El
 .Pp
 Note that some of the above information, e.g. source MAC or IP addresses and
@ -467,10 +441,10 @@ non-default rule number by the value of the sysctl variable
 .Ar net.inet.ip.fw.autoinc_step
 which defaults to 100.
 If this is not possible (e.g. because we would go beyond the
-maximum allowed rule number), the same number of the last
+maximum allowed rule number), the number of the last
 non-default value is used instead.
 .It Cm set Ar set_number
-Each rule is associated to a
+Each rule is associated with a
 .Ar set_number
 in the range 0..31, with the latter reserved for the
 .Em default
@ -504,19 +478,17 @@ is set to 1
 (which is the default when the kernel is compiled with
 .Dv IPFIREWALL_VERBOSE
 ) and the number of packets logged so far for that
-particular rule does not exceed ther
+particular rule does not exceed the
 .Cm logamount
 parameter.
 If no
 .Cm logamount
 is specified, the limit is taken from the sysctl variable
 .Em net.inet.ip.fw.verbose_limit .
-In both cases, a value of 0
+In both cases, a value of 0 removes the logging limit.
 removes the logging limit.
 .Pp
 Once the limit is reached, logging can be re-enabled by
-clearing the logging counter
+clearing the logging counter or the packet counter for that entry, see the
 or the packet counter for that entry, see the
 .Cm resetlog
 command.
 .Pp
@ -558,7 +530,7 @@ The search terminates.
 .It Cm fwd | forward Ar ipaddr Ns Op , Ns Ar port
 Change the next-hop on matching packets to
 .Ar ipaddr ,
-which can be an IP address in dotted quad or a host name.
+which can be an IP address in dotted quad format or a host name.
 The search terminates if this rule matches.
 .Pp
 If
@ -599,7 +571,7 @@ Pass packet to a
 .Dq pipe
 (for bandwidth limitation, delay, etc.).
 See the
-.Sx TRAFFIC SHAPER CONFIGURATION
+.Sx TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
 Section for further information.
 The search terminates; however, on exit from the pipe and if
 the
@ -612,7 +584,7 @@ starting from the next rule.
 Pass packet to a
 .Xr dummynet 4
 .Dq queue
-(for bandwidth limitation using WF2Q).
+(for bandwidth limitation using WF2Q+).
 .It Cm reject
 (Deprecated).
 Synonym for
@ -682,7 +654,7 @@ or braces, so it is advisable to put a backslash \\ in front of them
 to prevent such interpretations.
 .Pp
 The body of a rule must in general include a source and destination
-addres specifier.
+address specifier.
 The keyword
 .Ar any
 can be used in various places to specify that the content of
@ -812,7 +784,7 @@ A backslash
 can be used to escape the dash
 .Pq Ql -
 character in a service name (from a shell, the backslash must be
-typed twice to avoid that the shell itself uses it as an escape
+typed twice to avoid the shell itself interpreting it as an escape
 character).
 .Pp
 .Dl "ipfw add count tcp from any ftp\e\e-data-ftp to any"
@ -960,7 +932,7 @@ Matches IP packets whose IP version field is
 .Ar ver .
 .It Cm keep-state
 Upon a match, the firewall will create a dynamic rule, whose
-default behaviour is to matching bidirectional traffic between
+default behaviour is to match bidirectional traffic between
 source and destination IP/port using the same protocol.
 The rule has a limited lifetime (controlled by a set of
 .Xr sysctl 8
@ -986,7 +958,7 @@ and
 addresses, specified as the
 .Cm any
 keyword (matching any MAC address), or six groups of hex digits
-separated by commas,
+separated by colons,
 and optionally followed by a mask indicating how many bits are
 significant, as in
 .Pp
@ -1005,14 +977,14 @@ is specified in the same way as
 (i.e. one or more comma-separated single values or ranges).
 You can use symbolic names for known values such as
 .Em vlan , ipv4, ipv6 .
-Values can be enter as decimal or hexadecimal (if prefixed by 0x),
+Values can be entered as decimal or hexadecimal (if prefixed by 0x),
 and they are always printed as hexadecimal (unless the
 .Cm -N
 option is used, in which case symbolic resolution will be attempted).
 .It Cm proto Ar protocol
 Matches packets with the corresponding IPv4 protocol.
 .It Cm recv | xmit | via Brq Ar ifX | Ar if Ns Cm * | Ar ipno | Ar any
-Matches packets received, transmitted or be going through,
+Matches packets received, transmitted or going through,
 respectively, the interface specified by exact name
 .Ns No ( Ar ifX Ns No ),
 by device name
@ -1139,9 +1111,10 @@ Sets can be individually and atomically enabled or disabled,
 so this mechanism permits an easy way to store multiple configurations
 of the firewall and quickly (and atomically) switch between them.
 The command to enable/disable sets is
-.Pp
+.Bd -ragged -offset indent
 .Nm
-.Cm set disable Ar number ... Op Cm enable Ar number ...
+.Cm set Oo Cm disable Ar number ... Oc Op Cm enable Ar number ...
 .Ed
 .Pp
 where multiple
 .Cm enable
@ -1151,26 +1124,28 @@ sections can be specified.
 Command execution is atomic on all the sets specified in the command.
 By default, all sets are enabled.
 .Pp
-When you disable a set, its rules behave as if they were not existing
+When you disable a set, its rules behave as if they do not exist
 in the firewall configuration, with only one exception:
-.Bl -bullet
+.Bd -ragged -offset indent
 .It
 dynamic rules created from a rule before it had been disabled
 will still be active until they expire. In order to delete
 dynamic rules you have to explicitly delete the parent rule
-which generated them;
+which generated them.
-.El
+.Ed
 The set number of rules can be changed with the command
 .Pp
 The set number of rules can be changed with the command
 .Bd -ragged -offset indent
 .Nm  
 .Cm set move
 .Brq Cm rule Ar rule-number | old-set
 .Cm to Ar new-set
 .Ed
 .Pp
 Also, you can atomically swap two rulesets with the command
-.Pp
+.Bd -ragged -offset indent
 .Nm
 .Cm set swap Ar first-set second-set
 .Ed
 .Pp
 See the
 .Sx EXAMPLES
@ -1244,45 +1219,61 @@ about to expire.
 See Section
 .Sx EXAMPLES
 for more examples on how to use dynamic rules.
-.Sh TRAFFIC SHAPER CONFIGURATION
+.Sh TRAFFIC SHAPER (DUMMYNET) CONFIGURATION
 .Nm
 is also the user interface for the
 .Xr dummynet 4
 traffic shaper.
 The shaper operates by dividing packets into
 .Em flows
 according to a user-specified mask on different fields
 of the IP header.
 Packets belonging to the same flow are then passed to two
 different objects, named
 .Em pipe
 or
 .Em queue .
 .Pp
-A
+.Nm dummynet
-.Em pipe
+operates by first using the firewall to classify packets and divide them into
-emulates a link with given bandwidth, propagation delay,
+.Em flows ,
 using any match pattern that can be used in
 .Nm
 rules.
 Depending on local policies, a flow can contain packets for a single
 TCP connection, or from/to a given host, or entire subnet, or a
 protocol type, etc.
 .Pp
 Packets belonging to the same flow are then passed to either of two
 different objects, which implement the traffic regulation:
 .Bl -hang -offset XXXX
 .It Em pipe
 A pipe emulates a link with given bandwidth, propagation delay,
 queue size and packet loss rate.
-Packets transit through the pipe according to its parameters.
+Packets are queued in front of the pipe as they come out from the classifier,
 and then transferred to the pipe according to the pipe's parameters.
 .Pp
-A
+.It Em queue
-.Em queue
+A queue
-is an abstraction used to implement the WF2Q+ (Worst-case Fair Weighted Fair Queueing) policy.
+is an abstraction used to implement the WF2Q+
-The queue associates to each flow a weight and a reference pipe.
+(Worst-case Fair Weighted Fair Queueing) policy, which is
-Then, all flows linked to the same pipe are scheduled at the
+an efficient variant of the WFQ policy.
-rate fixed by the pipe according to the WF2Q+ policy.
+.br
 The queue associates a
 .Em weight
 and a reference pipe to each flow, and then all backlogged (i.e.,
 with packets queued) flows linked to the same pipe share the pipe's
 bandwidth proportionally to their weights.
 Note that weights are not priorities; a flow with a lower weight
 is still guaranteed to get its fraction of the bandwidth even if a
 flow with a higher weight is permanently backlogged.
 .Pp
 .El
 In practice,
 .Em pipes
 can be used to set hard limits to the bandwidth that a flow can use, whereas
 .Em queues
 can be used to determine how different flow share the available bandwidth.
 .Pp
 The
-.Nm
+.Em pipe
-pipe configuration format is the following:
+and
 .Em queue
 configuration commands are the following:
 .Bd -ragged -offset indent
 .Cm pipe Ar number Cm config Ar pipe-configuration
 .Ed
 .Pp
 The
 .Nm
 queue configuration format is the following:
 .Bd -ragged -offset indent
 .Cm queue Ar number Cm config Ar queue-configuration
 .Ed
 .Pp
@ -1297,13 +1288,15 @@ Bandwidth, measured in
 .Sm on
 .Pp
 A value of 0 (default) means unlimited bandwidth.
-The unit must follow immediately the number, as in
+The unit must immediately follow the number, as in
 .Pp
 .Dl "ipfw pipe 1 config bw 300Kbit/s"
 .Pp
-If a device name is specified instead of a numeric
+If a device name is specified instead of a numeric value, as in
-value, then the transmit clock is supplied by the specified
+.Pp
-device.
+.Dl "ipfw pipe 1 config bw tun0"
 .Pp
 then the transmit clock is supplied by the specified device.
 At the moment only the
 .Xr tun 4
 device supports this
@ -1326,9 +1319,8 @@ The following parameters can be configured for a queue:
 .Bl -tag -width indent -compact
 .It Cm pipe Ar pipe_nr
 Connects a queue to the specified pipe.
-Multiple queues (usually
+Multiple queues (with the same or different weights) can be connected to
-with different weights) can be connected to the same pipe, which
+the same pipe, which specifies the aggregate rate for the set of queues.
 specifies the aggregate rate for the set of queues.
 .Pp
 .It Cm weight Ar weight
 Specifies the weight to be used for flows matching this queue.
@ -1338,7 +1330,7 @@ The weight must be in the range 1..100, and defaults to 1.
 Finally, the following parameters can be configured for both
 pipes and queues:
 .Pp
-.Bl -tag -width indent -compact
+.Bl -tag -width XXXX -compact
 .Pp
 .It Cm buckets Ar hash-table-size
 Specifies the size of the hash table used for storing the
@ -1350,14 +1342,31 @@ variable
 allowed range is 16 to 65536.
 .Pp
 .It Cm mask Ar mask-specifier
-The
+Packets sent to a given pipe or queue by an
-.Xr dummynet 4
+.Nm
-lets you to create per-flow queues.
+rule can be further classified into multiple flows, each of which is then
 sent to a different
 .Em dynamic
 pipe or queue.
 A flow identifier is constructed by masking the IP addresses,
-ports and protocol types as specified in the pipe configuration.
+ports and protocol types as specified with the
-Packets with the same identifier after masking fall into the
+.Cm mask
-same queue.
+options in the configuration of the pipe or queue.
-Available mask specifiers are a combination of the following:
+For each different flow identifier, a new pipe or queue is created
 with the same parameters as the original object, and matching packets
 are sent to it.
 .Pp
 Thus, when
 .Em dynamic pipes
 are used, each flow will get the same bandwidth as defined by the pipe,
 whereas when
 .Em dynamic queues
 are used, each flow will share the parent's pipe bandwidth evenly
 with other flows generated by the same queue (note that other queues
 with different weights might be connected to the same pipe).
 .br
 Available mask specifiers are a combination of one or more of the following:
 .Pp
 .Cm dst-ip Ar mask ,
 .Cm src-ip Ar mask ,
 .Cm dst-port Ar mask ,
@ -1365,16 +1374,8 @@ Available mask specifiers are a combination of the following:
 .Cm proto Ar mask
 or
 .Cm all ,
 .Pp
 where the latter means all bits in all fields are significant.
 When used within a
 .Ar pipe
 configuration, each flow is assigned a rate equal
 to the rate of the pipe.
 When used within a
 .Ar queue
 configuration, each flow is assigned a weight equal to the
 weight of the queue, and all flows insisting on the same pipe
 share bandwidth proportionally to their weight.
 .Pp
 .It Cm noerror
 When a packet is dropped by a dummynet queue or pipe, the error
@ -1542,13 +1543,13 @@ The product
 is used to determine the threshold over which empty pipes/queues
 will be expired even when
 .Cm net.inet.ip.dummynet.expire=0 .
-.It net.inet.ip.dummynet.red_lookup_depth : No 256
+.It Em net.inet.ip.dummynet.red_lookup_depth : No 256
-.It net.inet.ip.dummynet.red_avg_pkt_size : No 512
+.It Em net.inet.ip.dummynet.red_avg_pkt_size : No 512
-.It net.inet.ip.dummynet.red_max_pkt_size : No 1500
+.It Em net.inet.ip.dummynet.red_max_pkt_size : No 1500
 Parameters used in the computations of the drop probability
 for the RED algorithm.
 .It Em net.inet.ip.fw.autoinc_step : No 100
-Delta beween rule numbers when auto-generating them.
+Delta between rule numbers when auto-generating them.
 The value must be in the range 1..1000.
 .It Em net.inet.ip.fw.curr_dyn_buckets : Em net.inet.ip.fw.dyn_buckets
 The current number of buckets in the hash table for dynamic rules
@ -1620,10 +1621,32 @@ Controls whether bridged packets are passed to
 .Nm .
 Default is no.
 .El
 .Sh USING IPFW2 IN FreeBSD-STABLE
 .Nm ipfw2
 is standard in
 .Fx
 CURRENT, whereas
 .Fx
 STABLE still uses
 .Nm ipfw1
 unless the kernel is compiled with
 .Cm options IPFW2 ,
 and
 .Nm /sbin/ipfw
 and
 .Nm /usr/lib/libalias
 are recompiled with
 .Cm -DIPFW2
 and reinstalled (the same effect can be achieved by adding
 .Cm IPFW2=TRUE
 to
 .Nm /etc/make.conf
 before a buildworld).
 .Pp
 .Sh IPFW2 ENHANCEMENTS
 This Section lists the features that have been introduced in
 .Nm ipfw2
-and were not present in
+which were not present in
 .Nm ipfw1 .
 We list them in order of the potential impact that they can
 have in writing your rulesets.
@ -1647,7 +1670,7 @@ you can use the following as the very first rule in your ruleset:
 .Pp
 The
 .Cm layer2
-options might seem redundant, but it is necessary -- packets
+option might seem redundant, but it is necessary -- packets
 passed to the firewall from layer3 will not have a MAC header,
 so the
 .Cm mac-type ip
@ -1700,7 +1723,7 @@ the lifetime of the dynamic rules expires.
 does not implement sets of rules.
 .It MAC header filtering and Layer-2 firewalling.
 .Nm ipfw1
-does not implement filtering on MAC header fields, nor it is
+does not implement filtering on MAC header fields, nor is it
 invoked on packets from
 .Cm ether_demux()
 and
@ -1720,7 +1743,7 @@ Additionally, the following options are not supported in
 rules:
 .Pp
 .Cm ipid, iplen, ipprecedence, iptos, ipttl,
-.Cm ipversion, .Cm tcpack, tcpseq, tcpwin .
+.Cm ipversion, tcpack, tcpseq, tcpwin .
 .It Dummynet options
 The following option for
 .Nm dummynet
@ -1741,7 +1764,7 @@ from being forwarded by the host:
 .Pp
 .Dl "ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet"
 .Pp
-This one disallows any connection from the entire crackers
+This one disallows any connection from the entire cracker's
 network to my host:
 .Pp
 .Dl "ipfw add deny ip from 123.45.67.0/24 to my.host.org"
@ -1799,7 +1822,7 @@ or
 rule.
 A
 .Cm check-state
-rule should be usually placed near the beginning of the
+rule should usually be placed near the beginning of the
 ruleset to minimize the amount of work scanning the ruleset.
 Your mileage may vary.
 .Pp
@ -1872,7 +1895,7 @@ Remember in fact that
 .Nm
 rules are checked both on incoming and outgoing packets.
 .Pp
-Should we like to simulate a bidirectional link with bandwidth
+Should we want to simulate a bidirectional link with bandwidth
 limitations, the correct way is the following:
 .Pp
 .Dl "ipfw add pipe 1 ip from any to any out"
@ -1881,7 +1904,7 @@ limitations, the correct way is the following:
 .Dl "ipfw pipe 2 config bw 64Kbit/s queue 10Kbytes"
 .Pp
 The above can be very useful, e.g. if you want to see how
-your fancy Web page will look for a residential user which
+your fancy Web page will look for a residential user who
 is connected only through a slow link.
 You should not use only one pipe for both directions, unless
 you want to simulate a half-duplex medium (e.g. AppleTalk,
@ -1889,7 +1912,7 @@ Ethernet, IRDA).
 It is not necessary that both pipes have the same configuration,
 so we can also simulate asymmetric links.
 .Pp
-Should we like to verify network performance with the RED queue
+Should we want to verify network performance with the RED queue
 management algorithm:
 .Pp
 .Dl "ipfw add pipe 1 ip from any to any"
@ -1897,7 +1920,7 @@ management algorithm:
 .Pp
 Another typical application of the traffic shaper is to
 introduce some delay in the communication.
-This can affect a lot applications which do a lot of Remote
+This can significantly affect applications which do a lot of Remote
 Procedure Calls, and where the round-trip-time of the
 connection often becomes a limiting factor much more than
 bandwidth:
@ -1969,42 +1992,16 @@ the sleep terminates thus restoring the previous situation.
 .Xr reboot 8 ,
 .Xr sysctl 8 ,
 .Xr syslogd 8
 .Rs
 .%A "S. Floyd"
 .%A "V. Jacobson"
 .%T "Random Early Detection gateways for Congestion Avoidance"
 .%D "August 1993"
 .Re
 .Rs
 .%A "B. Braden"
 .%A "D. Clark"
 .%A "J. Crowcroft"
 .%A "B. Davie"
 .%A "S. Deering"
 .%A "D. Estrin"
 .%A "S. Floyd"
 .%A "V. Jacobson"
 .%A "G. Minshall"
 .%A "C. Partridge"
 .%A "L. Peterson"
 .%A "K. Ramakrishnan"
 .%A "S. Shenker"
 .%A "J. Wroclawski"
 .%A "L. Zhang"
 .%T "Recommendations on Queue Management and Congestion Avoidance in the Internet"
 .%D "April 1998"
 .%O "RFC 2309"
 .Re
 .Sh BUGS
 The syntax has grown over the years and sometimes it might be confusing.
 Unfortunately, backward compatibility prevents cleaning up mistakes
-done in the definition of the syntax.
+made in the definition of the syntax.
 .Pp
 .Em !!! WARNING !!!
 .Pp
 Misconfiguring the firewall can put your computer in an unusable state,
 possibly shutting down network services and requiring console access to
-regain control to it.
+regain control of it.
 .Pp
 Incoming packet fragments diverted by
 .Cm divert