svn commit: r43996 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Wed Feb 19 20:38:59 UTC 2014
Author: dru
Date: Wed Feb 19 20:38:58 2014
New Revision: 43996
URL: http://svnweb.freebsd.org/changeset/doc/43996
Log:
More shuffling to improve flow.
To be followed by a bunch of commits which look at the actual tech content.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:02:33 2014 (r43995)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Feb 19 20:38:58 2014 (r43996)
@@ -1701,10 +1701,6 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>There is a way to build IPF rules that utilize the power
of script symbolic substitution. For more information, see
<xref linkend="firewalls-ipf-rules-script"/>.</para>
- </sect2>
-
- <sect2>
- <title>Rule Syntax</title>
<indexterm>
<primary><application>IPFILTER</application></primary>
@@ -1735,35 +1731,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG
STATEFUL</replaceable></para>
- <para><replaceable>ACTION</replaceable> = block | pass</para>
-
- <para><replaceable>IN-OUT</replaceable> = in | out</para>
-
- <para><replaceable>OPTIONS</replaceable> = log | quick | on
- interface-name</para>
-
- <para><replaceable>SELECTION</replaceable> = proto value |
- source/destination IP | port = number | flags
- flag-value</para>
-
- <para><replaceable>PROTO</replaceable> = tcp/udp | udp | tcp |
- icmp</para>
-
- <para><replaceable>SRC_ADD,DST_ADDR</replaceable> = all | from
- object to object</para>
-
- <para><replaceable>OBJECT</replaceable> = IP address |
- any</para>
-
- <para><replaceable>PORT_NUM</replaceable> = port number</para>
-
- <para><replaceable>TCP_FLAG</replaceable> = S</para>
-
- <para><replaceable>STATEFUL</replaceable> = keep state</para>
-
- <sect3>
- <title>ACTION</title>
+ <para>Each keyword and its options are described below.</para>
+ <variablelist>
+ <varlistentry>
+ <term>ACTION</term>
+ <listitem>
<para>The action keyword indicates what to do with the packet
if it matches the rest of the filter rule. Each rule
<emphasis>must</emphasis> have an action. The following
@@ -1776,11 +1749,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para><literal>pass</literal> indicates that the packet should
exit the firewall if the selection parameters match the
packet.</para>
- </sect3>
-
- <sect3>
- <title>IN-OUT</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>IN-OUT</term>
+ <listitem>
<para>A mandatory requirement is that each filter rule
explicitly state which side of the I/O it is to be used
on. The next keyword must be either <literal>in</literal>
@@ -1794,11 +1768,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para><literal>out</literal> means this rule is being applied
against an outbound packet destined for the interface facing
the public Internet.</para>
- </sect3>
-
- <sect3>
- <title>OPTIONS</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>OPTIONS</term>
+ <listitem>
<note>
<para>These options must be used in the order shown
here.</para>
@@ -1833,11 +1808,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
state</literal> option, this option is recommended so that
only the triggering packet is logged and not every packet
which matches the stateful connection.</para>
- </sect3>
-
- <sect3>
- <title>SELECTION</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>SELECTION</term>
+ <listitem>
<para>The keywords described in this section are used to
describe attributes of the packet to be checked when
determining whether or not rules match. There is a
@@ -1845,11 +1821,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
which has to be selected. The following general-purpose
attributes are provided for matching, and must be used in
this order:</para>
- </sect3>
-
- <sect3>
- <title>PROTO</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PROTO</term>
+ <listitem>
<para><literal>proto</literal> is the subject keyword which
must include one of its corresponding keyword sub-option
values. The sub-option indicates a specific protocol to be
@@ -1862,11 +1839,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
either a <acronym>TCP</acronym> or a <acronym>UDP</acronym>
packet, and has been added as a convenience to save
duplication of otherwise identical rules.</para>
- </sect3>
-
- <sect3>
- <title>SRC_ADDR/DST_ADDR</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>SRC_ADDR/DST_ADDR</term>
+ <listitem>
<para>The <literal>all</literal> keyword is equivalent to
<quote>from any to any</quote> with no other match
parameters.</para>
@@ -1890,11 +1868,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
the calculation. Additional information is available at the
utility's web page: <uri
xlink:href="http://jodies.de/ipcalc">http://jodies.de/ipcalc</uri>.</para>
- </sect3>
-
- <sect3>
- <title>PORT</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>PORT</term>
+ <listitem>
<para>If a port match is included, for either or both of
source and destination, it is only applied to
<acronym>TCP</acronym> and <acronym>UDP</acronym> packets.
@@ -1920,11 +1899,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>To specify port ranges, place the two port numbers
between <literal><></literal> or
<literal>><</literal></para>
- </sect3>
-
- <sect3>
- <title><acronym>TCP</acronym>_FLAG</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><acronym>TCP</acronym>_FLAG</term>
+ <listitem>
<para>Flags are only effective for <acronym>TCP</acronym>
filtering. The letters represent one of the possible flags
that can be matched against the <acronym>TCP</acronym>
@@ -1933,15 +1913,18 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>The modernized rules processing logic uses the
<literal>flags S</literal> parameter to identify the TCP
session start request.</para>
- </sect3>
-
- <sect3>
- <title>STATEFUL</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>STATEFUL</term>
+ <listitem>
<para><literal>keep state</literal> indicates that on a pass
rule, any packets that match the rules selection parameters
should activate the stateful filtering facility.</para>
- </sect3>
+ </listitem>
+ </varlistentry>
+ </variablelist>
</sect2>
<sect2>
@@ -2382,7 +2365,7 @@ sh /etc/ipf.rules.script</programlisting
</sect2>
<sect2>
- <title><acronym>NAT</acronym></title>
+ <title>Configuring <acronym>NAT</acronym></title>
<indexterm><primary>NAT</primary></indexterm>
@@ -2399,8 +2382,7 @@ sh /etc/ipf.rules.script</programlisting
</indexterm>
<para><acronym>NAT</acronym> stands for <emphasis>Network
- Address Translation</emphasis>. In &linux;, NAT is called
- <quote>IP Masquerading</quote>. The IPF
+ Address Translation</emphasis>. The IPF
<acronym>NAT</acronym> function enables the private LAN behind
the firewall to share a single ISP-assigned IP address, even
if that address is dynamically assigned. NAT allows each
@@ -2408,7 +2390,26 @@ sh /etc/ipf.rules.script</programlisting
having to pay the ISP for multiple Internet accounts or IP
addresses.</para>
- <para><acronym>NAT</acronym> will automatically translate the
+ <para>In IPF, when a packet arrives at the firewall from the LAN
+ with a public destination, it passes through the outbound
+ filter rules. <acronym>NAT</acronym> gets its turn at the
+ packet and applies its rules top down, where the first
+ matching rule wins. <acronym>NAT</acronym> tests each of its
+ rules against the packet's interface name and source IP
+ address. When a packet's interface name matches a
+ <acronym>NAT</acronym> rule, the packet's source IP address in
+ the private LAN is checked to see if it falls within the IP
+ address range specified to the left of the arrow symbol on the
+ <acronym>NAT</acronym> rule. On a match, the packet has its
+ source IP address rewritten with the public IP address
+ obtained by the <literal>0/32</literal> keyword.
+ <acronym>NAT</acronym> posts an entry in its internal
+ <acronym>NAT</acronym> table so when the packet returns from
+ the public Internet it can be mapped back to its original
+ private IP address and then passed to the filter rules for
+ processing.</para>
+
+ <para><acronym>NAT</acronym> will automatically translate the
private LAN IP address for each system on the LAN to the
single public IP address as packets exit the firewall bound
for the public Internet. It also performs the reverse
@@ -2433,18 +2434,25 @@ sh /etc/ipf.rules.script</programlisting
</listitem>
</itemizedlist>
- </sect2>
+ <indexterm><primary><command>ipnat</command></primary></indexterm>
- <sect2>
- <title>IP<acronym>NAT</acronym></title>
+ <para>To enable IP<acronym>NAT</acronym>, add these statements
+ to <filename>/etc/rc.conf</filename>.</para>
- <indexterm>
- <primary>NAT</primary>
+ <para>To enable the machine to route traffic between
+ interfaces:</para>
- <secondary>and <application>IPFILTER</application></secondary>
- </indexterm>
+ <programlisting>gateway_enable="YES"</programlisting>
- <indexterm><primary><command>ipnat</command></primary></indexterm>
+ <para>To start IP<acronym>NAT</acronym> automatically each
+ time:</para>
+
+ <programlisting>ipnat_enable="YES"</programlisting>
+
+ <para>To specify where to load the IP<acronym>NAT</acronym>
+ rules from:</para>
+
+ <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
<para><acronym>NAT</acronym> rules are loaded using
<command>ipnat</command>. Typically, the
@@ -2479,10 +2487,6 @@ sh /etc/ipf.rules.script</programlisting
to rule processing and active rules/table entries:</para>
<screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
- </sect2>
-
- <sect2>
- <title>IP<acronym>NAT</acronym> Rules</title>
<para><acronym>NAT</acronym> rules are flexible and can
accomplish many different things to fit the needs of
@@ -2512,54 +2516,8 @@ sh /etc/ipf.rules.script</programlisting
be the static external IP address or the special keyword
<literal>0/32</literal> which uses the IP address assigned to
<replaceable>IF</replaceable>.</para>
- </sect2>
-
- <sect2>
- <title>How <acronym>NAT</acronym> Works</title>
-
- <para>In IPF, when a packet arrives at the firewall from the LAN
- with a public destination, it passes through the outbound
- filter rules. <acronym>NAT</acronym> gets its turn at the
- packet and applies its rules top down, where the first
- matching rule wins. <acronym>NAT</acronym> tests each of its
- rules against the packet's interface name and source IP
- address. When a packet's interface name matches a
- <acronym>NAT</acronym> rule, the packet's source IP address in
- the private LAN is checked to see if it falls within the IP
- address range specified to the left of the arrow symbol on the
- <acronym>NAT</acronym> rule. On a match, the packet has its
- source IP address rewritten with the public IP address
- obtained by the <literal>0/32</literal> keyword.
- <acronym>NAT</acronym> posts an entry in its internal
- <acronym>NAT</acronym> table so when the packet returns from
- the public Internet it can be mapped back to its original
- private IP address and then passed to the filter rules for
- processing.</para>
- </sect2>
-
- <sect2>
- <title>Enabling IP<acronym>NAT</acronym></title>
-
- <para>To enable IP<acronym>NAT</acronym>, add these statements
- to <filename>/etc/rc.conf</filename>.</para>
-
- <para>To enable the machine to route traffic between
- interfaces:</para>
-
- <programlisting>gateway_enable="YES"</programlisting>
- <para>To start IP<acronym>NAT</acronym> automatically each
- time:</para>
-
- <programlisting>ipnat_enable="YES"</programlisting>
-
- <para>To specify where to load the IP<acronym>NAT</acronym>
- rules from:</para>
-
- <programlisting>ipnat_rules="/etc/ipnat.rules"</programlisting>
- </sect2>
-
- <sect2>
+ <sect3>
<title><acronym>NAT</acronym> for a Large LAN</title>
<para>For networks that have large numbers of systems on the LAN
@@ -2567,13 +2525,10 @@ sh /etc/ipf.rules.script</programlisting
funneling all those private IP addresses into a single public
IP address becomes a resource problem that may cause problems
with the same port numbers being used many times across many
- connections, causing collisions. There are two ways to
+ connections, causing collisions. This section describes two ways to
relieve this resource problem.</para>
- <sect3>
- <title>Assigning Ports to Use</title>
-
- <para>A normal NAT rule would look like:</para>
+ <para>The first method is to assign ports to use. A normal NAT rule would look like:</para>
<programlisting>map dc0 192.168.1.0/24 -> 0/32</programlisting>
@@ -2592,12 +2547,8 @@ sh /etc/ipf.rules.script</programlisting
available for use:</para>
<programlisting>map dc0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto</programlisting>
- </sect3>
- <sect3>
- <title>Using a Pool of Public Addresses</title>
-
- <para>In very large LANs there comes a point where there are
+ <para>The second method is to use a pool of public addresses. In very large LANs there comes a point where there are
just too many LAN addresses to fit into a single public
address. If a block of public IP addresses is available,
these addresses can be used as a <quote>pool</quote>, and
@@ -2619,9 +2570,8 @@ sh /etc/ipf.rules.script</programlisting
<programlisting>map dc0 192.168.1.0/24 -> 204.134.75.0/24</programlisting>
</sect3>
- </sect2>
- <sect2>
+ <sect3>
<title>Port Redirection</title>
<para>A common practice is to have a web server, email server,
@@ -2646,9 +2596,9 @@ sh /etc/ipf.rules.script</programlisting
needs to receive public DNS requests:</para>
<programlisting>rdr dc0 20.20.20.5/32 port 53 -> 10.0.10.33 port 53 udp</programlisting>
- </sect2>
+ </sect3>
- <sect2>
+ <sect3>
<title>FTP and <acronym>NAT</acronym></title>
<para>FTP has two modes: active mode and passive mode. The
@@ -2658,9 +2608,6 @@ sh /etc/ipf.rules.script</programlisting
and the different modes, see <uri
xlink:href="http://www.slacksite.com/other/ftp.html">http://www.slacksite.com/other/ftp.html</uri>.</para>
- <sect3>
- <title>IP<acronym>NAT</acronym> Rules</title>
-
<para>IP<acronym>NAT</acronym> has a built in FTP proxy option
which can be specified on the <acronym>NAT</acronym> map
rule. It can monitor all outbound packet traffic for FTP
@@ -2693,10 +2640,6 @@ sh /etc/ipf.rules.script</programlisting
<acronym>NAT</acronym>. All LAN packets that are not FTP
will not match the FTP rules but will undergo
<acronym>NAT</acronym> if they match the third rule.</para>
- </sect3>
-
- <sect3>
- <title>IP<acronym>NAT</acronym> FTP Filter Rules</title>
<para>Only one filter rule is needed for FTP if the
<acronym>NAT</acronym> FTP proxy is used.</para>
@@ -2846,10 +2789,6 @@ pass in quick on rl0 proto tcp from any
last rule in the ruleset. This makes it possible to see all
the packets that did not match any of the rules in the
ruleset.</para>
- </sect2>
-
- <sect2>
- <title>IPMON Logging</title>
<para>&man.syslogd.8; uses its own method for segregation of log
data. It uses groupings called <quote>facility</quote> and
@@ -2890,10 +2829,6 @@ LOG_ERR - packets which have been logged
<para>Do not forget to change
<filename>/etc/newsyslog.conf</filename> to rotate the new
log file.</para>
- </sect2>
-
- <sect2>
- <title>The Format of Logged Messages</title>
<para>Messages generated by <command>ipmon</command> consist
of data fields separated by white space. Fields common to
More information about the svn-doc-all
mailing list