Translation

(itstool) path: sect2/para
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>.
231/4590
Context English Chinese (Simplified) (zh_CN) State
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
#!/bin/sh
# Flush out the list before we begin.
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
pif="dc0" # interface name of NIC attached to Internet
The first two rules allow all traffic on the trusted internal interface and on the loopback interface: 前两个规则允许受信任内部接口和环回接口上的所有流量:
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
# Change xl0 to LAN NIC interface name
$cmd 00005 allow all from any to any via xl0

# No restrictions on Loopback Interface
$cmd 00010 allow all from any to any via lo0
The next rule allows the packet through if it matches an existing entry in the dynamic rules table: 这条规则表示允许所有符合规则的流量通过:
$cmd 00101 check-state $cmd 00101 check-state
The next set of rules defines which stateful connections internal systems can create to hosts on the Internet: 下一条规则说明系统中的哪些服务能与 Internet 创建有状态连接:
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
# Allow access to public DNS
# Replace x.x.x.x with the IP address of a public DNS server
# and repeat for each DNS server in /etc/resolv.conf
$cmd 00110 allow tcp from any to x.x.x.x 53 out via $pif setup keep-state
$cmd 00111 allow udp from any to x.x.x.x 53 out via $pif keep-state

# Allow access to ISP's DHCP server for cable/DSL configurations.
# Use the first rule and check log for IP address.
# Then, uncomment the second rule, input the IP address, and delete the first rule
$cmd 00120 allow log udp from any to any 67 out via $pif keep-state
#$cmd 00120 allow udp from any to x.x.x.x 67 out via $pif keep-state

# Allow outbound HTTP and HTTPS connections
$cmd 00200 allow tcp from any to any 80 out via $pif setup keep-state
$cmd 00220 allow tcp from any to any 443 out via $pif setup keep-state

# Allow outbound email connections
$cmd 00230 allow tcp from any to any 25 out via $pif setup keep-state
$cmd 00231 allow tcp from any to any 110 out via $pif setup keep-state

# Allow outbound ping
$cmd 00250 allow icmp from any to any out via $pif keep-state

# Allow outbound NTP
$cmd 00260 allow udp from any to any 123 out via $pif keep-state

# Allow outbound SSH
$cmd 00280 allow tcp from any to any 22 out via $pif setup keep-state

# deny and log all other outbound connections
$cmd 00299 deny log all from any to any out via $pif
The next set of rules controls connections from Internet hosts to the internal network. It starts by denying packets typically associated with attacks and then explicitly allows specific types of connections. All the authorized services that originate from the Internet use <literal>limit</literal> to prevent flooding. 下一组规则控制 Internet 到内部网络的连接。它首先拒绝可能发起攻击的数据包,然后显式允许特定类型的连接。源自 Internet 的所有授权服务都使用<literal>limit</literal>来防止洪水攻击。
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
# Deny all inbound traffic from non-routable reserved address spaces
$cmd 00300 deny all from 192.168.0.0/16 to any in via $pif #RFC 1918 private IP
$cmd 00301 deny all from 172.16.0.0/12 to any in via $pif #RFC 1918 private IP
$cmd 00302 deny all from 10.0.0.0/8 to any in via $pif #RFC 1918 private IP
$cmd 00303 deny all from 127.0.0.0/8 to any in via $pif #loopback
$cmd 00304 deny all from 0.0.0.0/8 to any in via $pif #loopback
$cmd 00305 deny all from 169.254.0.0/16 to any in via $pif #DHCP auto-config
$cmd 00306 deny all from 192.0.2.0/24 to any in via $pif #reserved for docs
$cmd 00307 deny all from 204.152.64.0/23 to any in via $pif #Sun cluster interconnect
$cmd 00308 deny all from 224.0.0.0/3 to any in via $pif #Class D &amp; E multicast

# Deny public pings
$cmd 00310 deny icmp from any to any in via $pif

# Deny ident
$cmd 00315 deny tcp from any to any 113 in via $pif

# Deny all Netbios services.
$cmd 00320 deny tcp from any to any 137 in via $pif
$cmd 00321 deny tcp from any to any 138 in via $pif
$cmd 00322 deny tcp from any to any 139 in via $pif
$cmd 00323 deny tcp from any to any 81 in via $pif

# Deny fragments
$cmd 00330 deny all from any to any frag in via $pif

# Deny ACK packets that did not match the dynamic rule table
$cmd 00332 deny tcp from any to any established in via $pif

# Allow traffic from ISP's DHCP server.
# Replace x.x.x.x with the same IP address used in rule 00120.
#$cmd 00360 allow udp from any to x.x.x.x 67 in via $pif keep-state

# Allow HTTP connections to internal web server
$cmd 00400 allow tcp from any to me 80 in via $pif setup limit src-addr 2

# Allow inbound SSH connections
$cmd 00410 allow tcp from any to me 22 in via $pif setup limit src-addr 2

# Reject and log all other incoming connections
$cmd 00499 deny log all from any to any in via $pif
The last rule logs all packets that do not match any of the rules in the ruleset: 最后一条规则拒绝所有不符合规则的流量:
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
# Everything else is denied and logged
$cmd 00999 deny log all from any to any
In-kernel <acronym>NAT</acronym> In-kernel <acronym>NAT</acronym>
<personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib> <personname> <firstname>Dries</firstname> <surname>Michiels</surname> </personname> <contrib>Rewritten and updated by </contrib>
<primary>NAT</primary> <secondary>and <application>IPFW</application></secondary> <primary>NAT</primary> <secondary>和<application>IPFW</application></secondary>
FreeBSD's <application>IPFW</application> firewall has two implementations of <acronym>NAT</acronym>: the userland implementation <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, and the more recent in-kernel <acronym>NAT</acronym> implementation. Both work in conjunction with <application>IPFW</application> to provide network address translation. This can be used to provide an Internet Connection Sharing solution so that several internal computers can connect to the Internet using a single public <acronym>IP</acronym> address. FreeBSD 的<application>IPFW</application>防火墙有两个<acronym>NAT</acronym>实现:一个是用户态<citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry>实现,另一个是最新的内核内<acronym>NAT</acronym>实现。两者都可与<application>IPFW</application>配合使用,提供网络地址转换。这可用于提供 Internet 连接共享解决方案,以便多个内部计算机可以使用单个公网<acronym>IP</acronym>地址连接到 Internet。
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>. 为此,连接到 Internet 的 FreeBSD 计算机必须充当网关。此系统必须具有两个<acronym>NIC(网口)</acronym>,其中一个连接到互联网,另一个连接到内部<acronym>LAN(本地网络)</acronym>。在LAN后面的每一台机子和接口应该被分配私有地址空间(由<link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>定义)里的 IP 地址。
Some additional configuration is needed in order to enable the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. To enable in-kernel <acronym>NAT</acronym> support at boot time, the following must be set in <filename>/etc/rc.conf</filename>: 为了启用<application>IPFW</application>的 in-kernel<acronym>NAT</acronym>功能,需要进行一些额外的配置。要在启动时启用内核内<acronym>NAT</acronym>支持,必须在<filename>/etc/rc.conf</filename>中设置以下内容:
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
When <literal>firewall_nat_enable</literal> is set but <literal>firewall_enable</literal> is not, it will have no effect and do nothing. This is because the in-kernel <acronym>NAT</acronym> implementation is only compatible with <application>IPFW</application>. 当<literal>firewall_nat_enable</literal>已设置,但<literal>firewall_enable</literal>未设置时,它将没有效果,不执行任何操作,因为 in-kernel<acronym>NAT</acronym>实现仅与<application>IPFW</application>兼容。
When the ruleset contains stateful rules, the positioning of the <acronym>NAT</acronym> rule is critical and the <literal>skipto</literal> action is used. The <literal>skipto</literal> action requires a rule number so that it knows which rule to jump to. The example below builds upon the firewall ruleset shown in the previous section. It adds some additional entries and modifies some existing rules in order to configure the firewall for in-kernel <acronym>NAT</acronym>. It starts by adding some additional variables which represent the rule number to skip to, the <literal>keep-state</literal> option, and a list of <acronym>TCP</acronym> ports which will be used to reduce the number of rules. 当规则集包含有状态的规则时,<acronym>NAT</acronym>规则的定位非常关键,并使用<literal>skipto</literal>动作。<literal>skipto</literal>动作需要一个规则编号,以便知道要跳转到哪个规则。下面的示例基于上一节中所示的防火墙规则集。它添加了一些条目并修改了一些现有规则,以便为 in-kernel <acronym>NAT</acronym>配置防火墙。它首先添加一些表示要跳到的规则编号、<literal>keep-state</literal> 选项和用于减少规则数的<acronym>TCP</acronym>端口列表。
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
#!/bin/sh
ipfw -q -f flush
cmd="ipfw -q add"
skip="skipto 1000"
pif=dc0
ks="keep-state"
good_tcpo="22,25,37,53,80,443,110"
With in-kernel <acronym>NAT</acronym> it is necessary to disable TCP segmentation offloading (<acronym>TSO</acronym>) due to the architecture of <citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>, a library implemented as a kernel module to provide the in-kernel <acronym>NAT</acronym> facility of <application>IPFW</application>. <acronym>TSO</acronym> can be disabled on a per network interface basis using <citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry> or on a system wide basis using <citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry>. To disable <acronym>TSO</acronym> system wide, the following must be set it <filename>/etc/sysctl.conf</filename>: 由于<citerefentry><refentrytitle>libalias</refentrytitle><manvolnum>3</manvolnum></citerefentry>的体系结构,作为用于<application>IPFW</application>的 in-kernel <acronym>NAT</acronym>工具的内核模块实现的库,有必要禁用 TCP 分段卸载,(<acronym>TSO</acronym>)。使用<citerefentry><refentrytitle>ifconfig</refentrytitle><manvolnum>8</manvolnum></citerefentry>为某个网口禁用 TSO 或使用<citerefentry><refentrytitle>sysctl</refentrytitle><manvolnum>8</manvolnum></citerefentry> 为系统内的所有网卡禁用 <acronym>TSO</acronym>。要在系统范围禁用<acronym>TSO</acronym>,必须在<filename>/etc/sysctl.conf</filename>中设置以下内容:
net.inet.tcp.tso="0" net.inet.tcp.tso="0"
A <acronym>NAT</acronym> instance will also be configured. It is possible to have multiple <acronym>NAT</acronym> instances each with their own configuration. For this example only one <acronym>NAT</acronym> instance is needed, <acronym>NAT</acronym> instance number 1. The configuration can take a few options such as: <option>if</option> which indicates the public interface, <option>same_ports</option> which takes care that alliased ports and local port numbers are mapped the same, <option>unreg_only</option> will result in only unregistered (private) address spaces to be processed by the <acronym>NAT</acronym> instance, and <option>reset</option> which will help to keep a functioning <acronym>NAT</acronym> instance even when the public <acronym>IP</acronym> address of the <application>IPFW</application> machine changes. For all possible options that can be passed to a single <acronym>NAT</acronym> instance configuration consult <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. When configuring a stateful <acronym>NAT</acronym>ing firewall, it is neseccary to allow translated packets to be reinjected in the firewall for further processing. This can be achieved by disabling <option>one_pass</option> behavior at the start of the firewall script. 还将配置<acronym>NAT</acronym>实例。可以有多个<acronym>NAT</acronym>实例,每个实例都有自己的配置。但是,对于此示例,只需要一个 NAT 实例。对于此示例,只需要一个<acronym>NAT</acronym>实例。<acronym>NAT</acronym>实例编号为 1。配置需要一些参数和标志,例如:<option>if</option>表示公共接口,<option>same_ports</option>注意所有端口和本地端口号映射相同,<option>unreg_only</option>将导致仅由<acronym>NAT</acronym>实例处理未注册的(私有)地址空间,以及 <option>reset</option>,这将有助于保持一个正常运行的<acronym>NAT</acronym>实例,即使<application>IPFW</application>计算机的公共<acronym>IP</acronym>地址发生更改。对于可以传递到单个<acronym>NAT</acronym>实例配置的所有可能选项,请参阅<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>。当配置有状态<acronym>NAT</acronym>防火墙时,有必要允许将转换后的数据包重新注入防火墙以进行进一步处理,这可以通过在防火墙脚本开头前添加 <option>one_pass</option>禁用标志来实现。
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
ipfw disable one_pass
ipfw -q nat 1 config if $pif same_ports unreg_only reset
The inbound <acronym>NAT</acronym> rule is inserted <emphasis>after</emphasis> the two rules which allow all traffic on the trusted and loopback interfaces and after the reassemble rule but <emphasis>before</emphasis> the <literal>check-state</literal> rule. It is important that the rule number selected for this <acronym>NAT</acronym> rule, in this example <literal>100</literal>, is higher than the first three rules and lower than the <literal>check-state</literal> rule. Furthermore, because of the behavior of in-kernel <acronym>NAT</acronym> it is advised to place a reassemble rule just before the first <acronym>NAT</acronym> rule and after the rules that allow traffic on trusted interface. Normally, <acronym>IP</acronym> fragmentation should not happen, but when dealing with <acronym>IPSEC/ESP/GRE</acronym> tunneling traffic it might and the reassembling of fragments is necessary before handing the complete packet over to the in-kernel <acronym>NAT</acronym> facility. <acronym>NAT</acronym>入站规则插入在两个规则<emphasis>之后</emphasis>,这两个规则允许受信任和环回接口上的所有流量,在重新命名规则之后,但在<literal>检查状态</literal>规则<emphasis>之前</emphasis>。在本示例中为此<acronym>NAT</acronym>规则选择的规则编号(在此示例中为<literal>100)</literal>高于前三个规则,并且低于<literal>检查状态</literal>规则,这一点很重要。此外,由于内核内<acronym>NAT</acronym>的行为,建议在第一个<acronym>NAT</acronym>规则之前和允许在受信任接口上进行流量的规则之后放置一个可重新传输规则。通常<acronym>,IP</acronym>碎片不应发生,但在处理<acronym>IPSEC/ESP/GRE</acronym>隧道流量时,在将完整数据包移交给内核内<acronym>NAT</acronym>组件之前,可能需要重新组织片段。
The reassemble rule was not needed with userland <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> because the internal workings of the <application>IPFW</application> <literal>divert</literal> action already takes care of reassembling packets before delivery to the socket as also stated in <citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>. 用户态 <citerefentry><refentrytitle>natd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 不需要重组规则,因为<application>IPFW</application> <literal>divert</literal>已经自动处理了这一点,如<citerefentry><refentrytitle>ipfw</refentrytitle><manvolnum>8</manvolnum></citerefentry>中所述。
The <acronym>NAT</acronym> instance and rule number used in this example does not match with the default <acronym>NAT</acronym> instance and rule number created by <filename>rc.firewall</filename>. <filename>rc.firewall</filename> is a script that sets up the default firewall rules present in FreeBSD. 本例中使用的 <acronym>NAT</acronym> 实例和规则号与 <filename>rc.firewall</filename> 创建的默认 <acronym>NAT</acronym> 实例和规则号不匹配。<filename>rc.firewall</filename> 是 FreeBSD 的默认防火墙规则集。
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
$cmd 005 allow all from any to any via xl0 # exclude LAN traffic
$cmd 010 allow all from any to any via lo0 # exclude loopback traffic
$cmd 099 reass all from any to any in # reassemble inbound packets
$cmd 100 nat 1 ip from any to any in via $pif # NAT any inbound packets
# Allow the packet through if it has an existing entry in the dynamic rules table
$cmd 101 check-state
The outbound rules are modified to replace the <literal>allow</literal> action with the <literal>$skip</literal> variable, indicating that rule processing will continue at rule <literal>1000</literal>. The seven <literal>tcp</literal> rules have been replaced by rule <literal>125</literal> as the <literal>$good_tcpo</literal> variable contains the seven allowed outbound ports. 修改出站规则,将<literal>allow</literal>替换为<literal>$skip</literal>,指示规则处理将在<literal>1000</literal>规则中继续进行。七个<literal>tcp</literal>规则已被<literal>125</literal>规则替换,因为<literal>$good_tcpo</literal>变量包含七个允许的出站端口。
Remember that <application>IPFW</application>'s performance is largely determined by the number of rules present in the ruleset. 请记住,<application>IPFW</application>的性能很大程度上取决于规则集中的规则数。

Loading…

To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>.
为此,连接到 Internet 的 FreeBSD 计算机必须充当网关。此系统必须具有两个<acronym>NIC(网口)</acronym>,其中一个连接到互联网,另一个连接到内部<acronym>LAN(本地网络)</acronym>。在LAN后面的每一台机子和接口应该被分配私有地址空间(由<link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>定义)里的 IP 地址
7 months ago
To do this, the FreeBSD machine connected to the Internet must act as a gateway. This system must have two <acronym>NIC</acronym>s, where one is connected to the Internet and the other is connected to the internal <acronym>LAN</acronym>. Each machine connected to the <acronym>LAN</acronym> should be assigned an <acronym>IP</acronym> address in the private network space, as defined by <link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>.
为此,连接到 Internet 的 FreeBSD 计算机必须充当网关。此系统必须具有两个<acronym>NIC(网口)</acronym>,其中一个连接到互联网,另一个连接到内部<acronym>LAN(本地网络)</acronym>。在LAN后面的每一台机子和接口应该被分配私有地址空间(由<link xlink:href="https://www.ietf.org/rfc/rfc1918.txt">RFC 1918</link>定义)里的 IP 地址
10 months ago
Browse all component changes

Glossary

English Chinese (Simplified) (zh_CN)
No related strings found in the glossary.

Source information

Source string comment
(itstool) path: sect2/para
Source string location
book.translate.xml:60052
String age
a year ago
Source string age
a year ago
Translation file
books/zh_CN/handbook.po, string 9863