svn commit: r44055 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Tue Feb 25 18:57:41 UTC 2014
Author: dru
Date: Tue Feb 25 18:57:40 2014
New Revision: 44055
URL: http://svnweb.freebsd.org/changeset/doc/44055
Log:
Start editorial review. To be continued tomorrow.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:59:16 2014 (r44054)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 18:57:40 2014 (r44055)
@@ -1585,7 +1585,7 @@ block drop out quick on $ext_if from any
</sect1>
<sect1 xml:id="firewalls-ipfw">
- <title>IPFW</title>
+ <title><application>IPFW</application></title>
<indexterm>
<primary>firewall</primary>
@@ -1593,52 +1593,39 @@ block drop out quick on $ext_if from any
<secondary>IPFW</secondary>
</indexterm>
- <para><acronym>IPFW</acronym> is a stateful firewall written for
- &os; which also provides a traffic shaper, packet scheduler,
- and in-kernel NAT.</para>
+ <para><application>IPFW</application> is a stateful firewall written for
+ &os; which supports both <acronym>IPv4</acronym>
+ and <acronym>IPv6</acronym>. It is comprised of several components: the kernel firewall
+ filter rule processor and its integrated packet accounting
+ facility, the logging facility,
+ <acronym>NAT</acronym>, the &man.dummynet.4; traffic shaper,
+ a forward facility, a bridge
+ facility, and an ipstealth facility.</para>
<para>&os; provides a sample ruleset in
- <filename>/etc/rc.firewall</filename>. The sample ruleset
- define several firewall types for common scenarios to assist
+ <filename>/etc/rc.firewall</filename> which
+ defines several firewall types for common scenarios to assist
novice users in generating an appropriate ruleset.
- &man.ipfw.8; provides a powerful syntax which advanced users can
+ <application>IPFW</application> provides a powerful syntax which advanced users can
use to craft customized rulesets that meet the security
requirements of a given environment.</para>
-
- <para>IPFW is composed of several components: the kernel firewall
- filter rule processor and its integrated packet accounting
- facility, the logging facility, the
- <literal>divert</literal> rule which triggers
- <acronym>NAT</acronym>, the dummynet traffic shaper facilities,
- the <literal>fwd rule</literal> forward facility, the bridge
- facility, and the ipstealth facility. IPFW supports both IPv4
- and IPv6.</para>
+
+ <para>This section describes how to enable
+ <application>IPFW</application>, provides an overview of its
+ rule syntax, and demonstrates several rulesets for common
+ configuration scenarios.</para>
<sect2 xml:id="firewalls-ipfw-enable">
- <title>Enabling IPFW</title>
+ <title>Enabling <application>IPFW</application></title>
<indexterm>
- <primary>IPFW</primary>
+ <primary><application>IPFW</application></primary>
<secondary>enabling</secondary>
</indexterm>
- <para>IPFW is included in the basic &os; install as a run time
- loadable module. The system will dynamically load the kernel
- module when <filename>rc.conf</filename> contains the
- statement <literal>firewall_enable="YES"</literal>. After
- rebooting the system, the following white highlighted message
- is displayed on the screen as part of the boot process:</para>
-
- <screen>ipfw2 initialized, divert disabled, rule-based forwarding disabled, default to deny, logging disabled</screen>
-
- <para>The loadable module includes logging ability. To enable
- logging and set the verbose logging limit, add these
- statements to
- <filename>/etc/sysctl.conf</filename> before rebooting:</para>
-
- <programlisting>net.inet.ip.fw.verbose=1
-net.inet.ip.fw.verbose_limit=5</programlisting>
+ <para><application>IPFW</application> is included in the basic &os; install as a kernel
+ loadable module, meaning that a custom kernel is not needed in order to enable <application>IPFW</application>.</para>
<indexterm>
<primary>kernel options</primary>
@@ -1659,76 +1646,35 @@ net.inet.ip.fw.verbose_limit=5</programl
</indexterm>
<indexterm>
- <primary>IPFW</primary>
+ <primary><application>IPFW</application></primary>
<secondary>kernel options</secondary>
</indexterm>
- <para>For those users who wish to statically compile kernel
- IPFW support, the following options are available for the
+ <para>For those users who wish to statically compile
+ <application>IPFW</application> support into a custom kernel,
+ refer to the instructions in <xref linkend="kernelconfig"/>.
+ The following options are available for the
custom kernel configuration file:</para>
- <programlisting>options IPFIREWALL</programlisting>
-
- <para>This option enables IPFW as part of the kernel.</para>
-
- <programlisting>options IPFIREWALL_VERBOSE</programlisting>
-
- <para>This option enables logging of packets that pass through
- IPFW and have the <literal>log</literal> keyword specified in
- the ruleset.</para>
-
- <programlisting>options IPFIREWALL_VERBOSE_LIMIT=5</programlisting>
-
- <para>This option limits the number of packets logged through
- &man.syslogd.8;, on a per-entry basis. This option may be
- used in hostile environments, when firewall activity logging
- is desired. This will close a possible denial of service
- attack via syslog flooding.</para>
-
- <indexterm>
- <primary>kernel options</primary>
-
- <secondary>IPFIREWALL_DEFAULT_TO_ACCEPT</secondary>
- </indexterm>
-
- <programlisting>options IPFIREWALL_DEFAULT_TO_ACCEPT</programlisting>
+ <programlisting>options IPFIREWALL # enables IPFW
+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
+options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
+options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
+options IPDIVERT # enables NAT</programlisting>
- <para>This option allows everything to pass through the firewall
- by default, which is a good idea when the firewall is being
- set up for the first time.</para>
-
- <indexterm>
- <primary>kernel options</primary>
-
- <secondary>IPDIVERT</secondary>
- </indexterm>
-
- <programlisting>options IPDIVERT</programlisting>
-
- <para>This option enables the use of <acronym>NAT</acronym>
- functionality.</para>
-
- <note>
- <para>The firewall will block all incoming and outgoing
- packets if either the
- <literal>IPFIREWALL_DEFAULT_TO_ACCEPT</literal> kernel
- option or a rule to explicitly allow these connections is
- missing.</para>
- </note>
-
- <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
+ <para>To configure the system to enable
+ <application>IPFW</application> at boot time, add the
+ following entry to <filename>/etc/rc.conf</filename>:</para>
<programlisting>firewall_enable="YES"</programlisting>
- <para>To select one of the default firewall types provided by
- &os;, select one by reading
- <filename>/etc/rc.firewall</filename> and specify it in
- the following:</para>
+ <para>To use one of the default firewall types provided by
+ &os;, add another line which specifies the type:</para>
<programlisting>firewall_type="open"</programlisting>
- <para>Available values for this setting are:</para>
+ <para>The available values for this setting are:</para>
<itemizedlist>
<listitem>
@@ -1747,27 +1693,27 @@ net.inet.ip.fw.verbose_limit=5</programl
traffic except for the loopback interface.</para>
</listitem>
<listitem>
+ <para><literal>workstation</literal>: protects only this
+ machine using stateful rules.</para>
+ </listitem>
+ <listitem>
<para><literal>UNKNOWN</literal>: disables the loading of
firewall rules.</para>
</listitem>
<listitem>
<para><filename>filename</filename>:
- absolute path of the file containing the firewall
+ full path of the file containing the firewall
rules.</para>
</listitem>
</itemizedlist>
- <para>Two methods are available for loading custom
- <application>ipfw</application> rules. One is to set the
- <literal>firewall_type</literal> variable to the absolute
- path of the file which contains the firewall rules.</para>
-
- <para>The other method is to set the
+ <para>To instead load a custom ruleset, either
+ set the <filename>filename</filename> value of
+ <literal>firewall_type</literal> or set the
<literal>firewall_script</literal> variable to the absolute
path of an executable script that includes
- <command>ipfw</command> commands. A ruleset script that
- blocks all incoming and outgoing traffic would look like
- this:</para>
+ <command>IPFW</command> commands. This example script
+ blocks all incoming and outgoing traffic:</para>
<programlisting>#!/bin/sh
@@ -1811,7 +1757,7 @@ ipfw add deny out</programlisting>
</sect2>
<sect2 xml:id="firewalls-ipfw-cmd">
- <title>The IPFW Command</title>
+ <title>The <application>IPFW</application> Command</title>
<indexterm><primary><command>ipfw</command></primary></indexterm>
@@ -1825,7 +1771,7 @@ ipfw add deny out</programlisting>
changes.</para>
<para><command>ipfw</command> is a useful way to display the
- running firewall rules to the console screen. The IPFW
+ running firewall rules to the console screen. The <application>IPFW</application>
accounting facility dynamically creates a counter for each
rule that counts each packet that matches the rule. During
the process of testing a rule, listing the rule with its
@@ -1868,10 +1814,10 @@ ipfw add deny out</programlisting>
</sect2>
<sect2 xml:id="firewalls-ipfw-rules">
- <title>IPFW Rule Syntax</title>
+ <title><application>IPFW</application> Rule Syntax</title>
<indexterm>
- <primary>IPFW</primary>
+ <primary><application>IPFW</application></primary>
<secondary>rule processing order</secondary>
</indexterm>
@@ -1884,7 +1830,7 @@ ipfw add deny out</programlisting>
action field value is executed and the search of the ruleset
terminates for that packet. This is referred to as
<quote>first match wins</quote>. If the packet does not match
- any of the rules, it gets caught by the mandatory IPFW default
+ any of the rules, it gets caught by the mandatory <application>IPFW</application> default
rule, number 65535, which denies all packets and silently
discards them. However, if the packet matches a rule that
contains the <literal>count</literal>,
@@ -1900,13 +1846,13 @@ ipfw add deny out</programlisting>
description, refer to &man.ipfw.8;.</para>
<indexterm>
- <primary>IPFW</primary>
+ <primary><application>IPFW</application></primary>
<secondary>rule syntax</secondary>
</indexterm>
<para>This section describes the keywords which comprise an
- <acronym>IPFW</acronym> rule. Keywords must be written in
+ <application>IPFW</application> rule. Keywords must be written in
the following order. <literal>#</literal> is used to mark
the start of a comment and may appear at the end of a rule
line or on its own line. Blank lines are ignored.</para>
@@ -2083,7 +2029,7 @@ ipfw add deny out</programlisting>
<term>Stateful Rule Option</term>
<listitem>
<para>The <literal>check-state</literal> option is used to
- identify where in the IPFW ruleset the packet is to be
+ identify where in the <application>IPFW</application> ruleset the packet is to be
tested against the dynamic rules facility. On a match, the
packet exits the firewall to continue on its way and a new
rule is dynamically created for the next anticipated packet
@@ -2094,7 +2040,7 @@ ipfw add deny out</programlisting>
<para>The dynamic rules facility is vulnerable to resource
depletion from a SYN-flood attack which would open a huge
number of dynamic rules. To counter this type of attack
- with <acronym>IPFW</acronym>, use <literal>limit</literal>.
+ with <application>IPFW</application>, use <literal>limit</literal>.
This keyword limits the number of simultaneous sessions by
checking that rule's source or destinations fields and using
the packet's IP address in a search of the open dynamic
@@ -2110,12 +2056,12 @@ ipfw add deny out</programlisting>
<title>Logging Firewall Messages</title>
<indexterm>
- <primary>IPFW</primary>
+ <primary><application>IPFW</application></primary>
<secondary>logging</secondary>
</indexterm>
- <para>Even with the logging facility enabled, IPFW will not
+ <para>Even with the logging facility enabled, <application>IPFW</application> will not
generate any rule logging on its own. The firewall
administrator decides which rules in the ruleset will be
logged, and adds the <literal>log</literal> keyword to those
@@ -2156,7 +2102,7 @@ ipfw add deny out</programlisting>
<sect3 xml:id="firewalls-ipfw-rules-script">
<title>Building a Rule Script</title>
- <para>Most experienced IPFW users create a file containing
+ <para>Most experienced <application>IPFW</application> users create a file containing
the rules and code them in a manner compatible with running
them as a script. The major benefit of doing this is the
firewall rules can be refreshed in mass without the need
@@ -2416,17 +2362,17 @@ pif="dc0" # public interface name of
<indexterm>
<primary>NAT</primary>
- <secondary>and IPFW</secondary>
+ <secondary>and <application>IPFW</application></secondary>
</indexterm>
<para>There are some additional configuration statements that
need to be enabled to activate the <acronym>NAT</acronym>
- function of IPFW. For a customized kernel, the kernel
+ function of <application>IPFW</application>. For a customized kernel, the kernel
configuration file needs
<literal>option IPDIVERT</literal> added to the other
<literal>IPFIREWALL</literal> options.</para>
- <para>In addition to the normal IPFW options in
+ <para>In addition to the normal <application>IPFW</application> options in
<filename>/etc/rc.conf</filename>, the following are
needed:</para>
More information about the svn-doc-all
mailing list