svn commit: r40948 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Mon Feb 11 15:01:38 UTC 2013
Author: dru
Date: Mon Feb 11 15:01:37 2013
New Revision: 40948
URL: http://svnweb.freebsd.org/changeset/doc/40948
Log:
This patch addresses the following:
- rewording to remove you, etc., i.e., and references to PPP
- fixes xref
- general tightening, removal of redundant paragraphs, and many fixes to grammos/typos
- a reference to a non-existing logging section was removed
- several comments were addressed and removed
Approved by gjb (mentor)
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Mon Feb 11 14:58:34 2013 (r40947)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Mon Feb 11 15:01:37 2013 (r40948)
@@ -36,39 +36,37 @@
<sect1 id="firewalls-intro">
<title>Introduction</title>
- <para>Firewalls make it possible to filter incoming and outgoing
- traffic that flows through your system. A firewall can use one
- or more sets of <quote>rules</quote> to inspect the network
- packets as they come in or go out of your network connections
- and either allows the traffic through or blocks it. The rules
- of a firewall can inspect one or more characteristics of the
- packets, including but not limited to the protocol type, the
- source or destination host address, and the source or
- destination port.</para>
-
- <para>Firewalls can greatly enhance the security of a host or a
- network. They can be used to do one or more of
- the following things:</para>
+ <para>Firewalls make it possible to filter the incoming and
+ outgoing traffic that flows through a system. A firewall can
+ use one or more sets of <quote>rules</quote> to inspect network
+ packets as they come in or go out of network connections and
+ either allows the traffic through or blocks it. The rules of
+ a firewall can inspect one or more characteristics of the
+ packets such as the protocol type, source or destination host
+ address, and source or destination port.</para>
+
+ <para>Firewalls can enhance the security of a host or a network.
+ They can be used to do one or more of the following:</para>
<itemizedlist>
<listitem>
- <para>To protect and insulate the applications, services and
- machines of your internal network from unwanted traffic
- coming in from the public Internet.</para>
+ <para>Protect and insulate the applications, services, and
+ machines of an internal network from unwanted traffic from
+ the public Internet.</para>
</listitem>
<listitem>
- <para>To limit or disable access from hosts of the internal
+ <para>Limit or disable access from hosts of the internal
network to services of the public Internet.</para>
</listitem>
<listitem>
- <para>To support network address translation
- (<acronym>NAT</acronym>), which allows your internal network
+ <para>Support network address translation
+ (<acronym>NAT</acronym>), which allows an internal network
to use private <acronym>IP</acronym> addresses and share a
- single connection to the public Internet (either with a
- single <acronym>IP</acronym> address or by a shared pool of
- automatically assigned public addresses).</para>
+ single connection to the public Internet using either a
+ single <acronym>IP</acronym> address or a shared pool of
+ automatically assigned public addresses.</para>
</listitem>
</itemizedlist>
@@ -76,27 +74,27 @@
<itemizedlist>
<listitem>
- <para>How to properly define packet filtering rules.</para>
+ <para>How to define packet filtering rules.</para>
</listitem>
<listitem>
- <para>The differences between the firewalls
- built into &os;.</para>
+ <para>The differences between the firewalls built into
+ &os;.</para>
</listitem>
<listitem>
- <para>How to use and configure the OpenBSD
+ <para>How to use and configure the
<application>PF</application> firewall.</para>
</listitem>
<listitem>
- <para>How to use and configure
- <application>IPFILTER</application>.</para>
+ <para>How to use and configure the
+ <application>IPFILTER</application> firewall.</para>
</listitem>
<listitem>
- <para>How to use and configure
- <application>IPFW</application>.</para>
+ <para>How to use and configure the
+ <application>IPFW</application> firewall.</para>
</listitem>
</itemizedlist>
@@ -118,81 +116,68 @@
<secondary>rulesets</secondary>
</indexterm>
- <para>There are two basic ways to create firewall rulesets:
- <quote>inclusive</quote> or <quote>exclusive</quote>. An
+ <para>A firewall ruleset can be either
+ <quote>exclusive</quote> or <quote>inclusive</quote>. An
exclusive firewall allows all traffic through except for the
traffic matching the ruleset. An inclusive firewall does the
- reverse. It only allows traffic matching the rules through and
+ reverse as it only allows traffic matching the rules through and
blocks everything else.</para>
- <para>An inclusive firewall offers much better control of the
- outgoing traffic, making it a better choice for systems that
- offer services to the public Internet. It also controls the
- type of traffic originating from the public Internet that can
- gain access to your private network. All traffic that does
- not match the rules, is blocked and logged by design. Inclusive
- firewalls are generally safer than exclusive firewalls because
- they significantly reduce the risk of allowing unwanted traffic
- to pass through them.</para>
+ <para>An inclusive firewall offers better control of the outgoing
+ traffic, making it a better choice for systems that offer
+ services to the public Internet. It also controls the type of
+ traffic originating from the public Internet that can gain
+ access to a private network. All traffic that does not match
+ the rules is blocked and logged. Inclusive firewalls are
+ generally safer than exclusive firewalls because they
+ significantly reduce the risk of allowing unwanted
+ traffic.</para>
<note>
<para>Unless noted otherwise, all configuration and example
- rulesets in this chapter, create inclusive type
- firewalls.</para>
+ rulesets in this chapter create inclusive firewall
+ rulesets.</para>
</note>
<para>Security can be tightened further using a <quote>stateful
- firewall</quote>. This type of firewall keeps
- track of which connections are opened through the firewall and
- will only allow traffic through which either matches an existing
- connection or opens a new one. The disadvantage of a stateful
- firewall is that it can be vulnerable to Denial of Service
- (<acronym>DoS</acronym>) attacks if a lot of new connections are
- opened very fast. With most firewalls it is possible to use a
- combination of stateful and non-stateful behavior to make an
- optimal firewall for the site.</para>
+ firewall</quote>. This type of firewall keeps track of open
+ connections and only allows traffic which either matches an
+ existing connection or opens a new, allowed connection. The
+ disadvantage of a stateful firewall is that it can be vulnerable
+ to Denial of Service (<acronym>DoS</acronym>) attacks if a lot
+ of new connections are opened very fast. Most firewalls use a
+ combination of stateful and non-stateful behavior.</para>
</sect1>
<sect1 id="firewalls-apps">
<title>Firewall Packages</title>
- <para>&os; has three different firewall packages built
- into the base system. They are: <emphasis>IPFILTER</emphasis>
- (also known as <acronym>IPF</acronym>),
- <emphasis>IPFIREWALL</emphasis> (also known as
- <acronym>IPFW</acronym>), and <emphasis>OpenBSD's
- PacketFilter</emphasis> (also known as <acronym>PF</acronym>).
- &os; also has two built in packages for traffic shaping
- (basically controlling bandwidth usage): &man.altq.4; and
- &man.dummynet.4;. Dummynet has traditionally been closely
- tied with <acronym>IPFW</acronym>, and
- <acronym>ALTQ</acronym> with
- <acronym>PF</acronym>. Traffic shaping for IPFILTER can
- currently be done with IPFILTER for NAT and filtering and
- <acronym>IPFW</acronym> with &man.dummynet.4;
- <emphasis>or</emphasis> by using <acronym>PF</acronym> with
- <acronym>ALTQ</acronym>.
- IPFW, and PF all use rules to control the access of packets
- to and from your system, although they go about it different
- ways and have a different rule syntax.</para>
-
- <para>The reason that &os; has multiple built in firewall packages
- is that different people have different requirements and
- preferences. No single firewall package is the best.</para>
-
- <para>The author prefers IPFILTER because its stateful rules are
- much less complicated to use in a <acronym>NAT</acronym>
- environment and it has a built in ftp proxy that simplifies the
- rules to allow secure outbound FTP usage.</para>
+ <para>&os; has three firewalls built into the base system:
+ <emphasis>IPFILTER</emphasis>, also known as
+ <acronym>IPF</acronym>, <emphasis>IPFIREWALL</emphasis>, also
+ known as <acronym>IPFW</acronym>, and <acronym>PF</acronym>).
+ &os; also provides two traffic shapers for controlling bandwidth
+ usage: &man.altq.4; and &man.dummynet.4;. Dummynet has
+ traditionally been closely tied with <acronym>IPFW</acronym>,
+ and <acronym>ALTQ</acronym> with <acronym>PF</acronym>. Each
+ firewall uses rules to control the access of packets to and from
+ a &os; system, although they go about it in different ways and
+ each has a different rule syntax.</para>
+
+ <para>&os; provides multiple firewalls in order to meet the
+ different requirements and preferences for a wide variety of
+ users. Each user should evaluate which firewall best meets
+ their needs.</para>
<para>Since all firewalls are based on inspecting the values of
selected packet control fields, the creator of the firewall
- rulesets must have an understanding of how
+ ruleset must have an understanding of how
<acronym>TCP/IP</acronym> works, what the different values in
- the packet control fields are and how these values are used in a
- normal session conversation. For a good explanation go to:
- <ulink
- url="http://www.ipprimer.com/overview.cfm"></ulink>.</para>
+ the packet control fields are, and how these values are used in
+ a normal session conversation. For a good introduction, refer
+ to <ulink
+ url="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP
+ Primer</ulink>.</para>
</sect1>
<sect1 id="firewalls-pf">
@@ -207,8 +192,7 @@
</authorgroup>
</sect1info>
- <title>The OpenBSD Packet Filter (PF) and
- <acronym>ALTQ</acronym></title>
+ <title>PF and <acronym>ALTQ</acronym></title>
<indexterm>
<primary>firewall</primary>
@@ -216,72 +200,65 @@
<secondary>PF</secondary>
</indexterm>
- <para>As of July 2003 the OpenBSD firewall software application
- known as <acronym>PF</acronym> was ported to &os; and
- made available in the &os; Ports Collection. Released in 2004,
- &os; 5.3 was the first release that contained
- <acronym>PF</acronym> as an integrated part of the base system.
- <acronym>PF</acronym> is a complete, full-featured firewall
- that has optional support for <acronym>ALTQ</acronym> (Alternate
- Queuing). <acronym>ALTQ</acronym> provides Quality of Service
- (<acronym>QoS</acronym>) functionality.</para>
-
- <para>The OpenBSD Project does an outstanding job of
- maintaining the <ulink
- url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.
- As such, this section of the Handbook will focus on
- <acronym>PF</acronym> as it pertains to &os; while providing
- some general information regarding usage. For detailed usage
- information please refer to the <ulink
- url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.</para>
+ <para>Since &os; 5.3, a ported version of OpenBSD's
+ <acronym>PF</acronym> firewall has been included as an
+ integrated part of the base system. <acronym>PF</acronym> is a
+ complete, full-featured firewall that has optional support for
+ <acronym>ALTQ</acronym> (Alternate Queuing), which provides
+ Quality of Service (<acronym>QoS</acronym>).</para>
+
+ <para>Since the OpenBSD Project maintains the definitive
+ reference for <acronym>PF</acronym> in the<ulink
+ url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, this
+ section of the Handbook focuses on <acronym>PF</acronym> as it
+ pertains to &os;, while providing some general usage
+ information.</para>
- <para>More information about <acronym>PF</acronym> for &os;
+ <para>More information about porting <acronym>PF</acronym> to &os;
can be found at <ulink
url="http://pf4freebsd.love2party.net/"></ulink>.</para>
<sect2>
<title>Using the PF Loadable Kernel Modules</title>
- <para>To load the PF Kernel Module add the following line to
+ <para>In order to use PF, the PF kernel module must be first
+ loaded. Add the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting>
- <para>Then run the startup script to load the module:</para>
+ <para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pf start</userinput></screen>
- <para>Note that the PF Module will not load if it cannot find
- the ruleset config file. The default location is
+ <para>The PF module will not load if it cannot find the
+ ruleset configuration file. The default location is
<filename>/etc/pf.conf</filename>. If the PF ruleset is
- located somewhere else, PF can be instructed to look there
- by adding a line like the following to
- <filename>/etc/rc.conf</filename>:</para>
+ located somewhere else, add a line to
+ <filename>/etc/rc.conf</filename> which specifies the full
+ path to the file:</para>
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>The sample <filename>pf.conf</filename>
can be found in <filename
- class="directory">/usr/share/examples/pf/</filename>.</para>
+ class="directory">/usr/share/examples/pf/</filename>.</para>
<para>The <acronym>PF</acronym> module can also be loaded
manually from the command line:</para>
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
- <para>Logging support for PF is provided by the
- <literal>pflog.ko</literal> and can be loaded by adding the
+ <para>Logging support for PF is provided by
+ <varname>pflog.ko</varname> which can be loaded by adding the
following line to <filename>/etc/rc.conf</filename>:</para>
<programlisting>pflog_enable="YES"</programlisting>
- <para>Then run the startup script to load the module:</para>
+ <para>Then, run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>service pflog start</userinput></screen>
- <para>If you need other <acronym>PF</acronym> features you will
- need to compile <acronym>PF</acronym> support into the
- kernel.</para>
</sect2>
<sect2>
@@ -305,37 +282,32 @@
<secondary>device pfsync</secondary>
</indexterm>
- <para>While it is not necessary that you compile
- <acronym>PF</acronym> support into the &os; kernel, you may
- want to do so to take advantage of one of PF's advanced
- features that is not included in the loadable module, namely
- &man.pfsync.4;, which is a pseudo-device that exposes certain
- changes to the state table used by <acronym>PF</acronym>.
- It can be paired with &man.carp.4; to create failover
- firewalls using <acronym>PF</acronym>. More information on
- <acronym>CARP</acronym> can be found in
- <xref linkend="carp"/> of the Handbook.</para>
-
- <para>The <acronym>PF</acronym> kernel options can be found in
- <filename>/usr/src/sys/conf/NOTES</filename> and are
- reproduced below:</para>
+ <para>While it is not necessary to compile
+ <acronym>PF</acronym> support into the &os; kernel, some of
+ PF's advanced features are not included in the loadable
+ module, namely &man.pfsync.4;, which is a pseudo-device that
+ exposes certain changes to the state table used by
+ <acronym>PF</acronym>. It can be paired with &man.carp.4; to
+ create failover firewalls using <acronym>PF</acronym>. More
+ information on <acronym>CARP</acronym> can be found in <link
+ linkend="carp">of the Handbook</link>.</para>
+
+ <para>The following <acronym>PF</acronym> kernel options can be
+ found in <filename>/usr/src/sys/conf/NOTES</filename>:</para>
<programlisting>device pf
device pflog
device pfsync</programlisting>
- <para>The <literal>device pf</literal> option enables support
- for the <quote>Packet Filter</quote> firewall
- (&man.pf.4;).</para>
-
- <para>The <literal>device pflog</literal> option enables the
- optional &man.pflog.4; pseudo network device which can be
- used to log traffic to a &man.bpf.4; descriptor. The
- &man.pflogd.8; daemon can be used to store the logging
- information to disk.</para>
+ <para><literal>device pf</literal> enables PF support.</para>
+
+ <para><literal>device pflog</literal> enables the optional
+ &man.pflog.4; pseudo network device which can be used to log
+ traffic to a &man.bpf.4; descriptor. The &man.pflogd.8;
+ daemon can then be used to store the logging information to
+ disk.</para>
- <para>The <literal>device pfsync</literal> option enables the
- optional
+ <para><literal>device pfsync</literal> enables the optional
&man.pfsync.4; pseudo-network device that is used to monitor
<quote>state changes</quote>.</para>
</sect2>
@@ -343,8 +315,9 @@ device pfsync</programlisting>
<sect2>
<title>Available <filename>rc.conf</filename> Options</title>
- <para>The following &man.rc.conf.5; statements configure
- <acronym>PF</acronym> and &man.pflog.4; at boot:</para>
+ <para>The following &man.rc.conf.5; statements can be used to
+ configure <acronym>PF</acronym> and &man.pflog.4; at
+ boot:</para>
<programlisting>pf_enable="YES" # Enable PF (load module if required)
pf_rules="/etc/pf.conf" # rules definition file for pf
@@ -353,9 +326,9 @@ pflog_enable="YES" # start
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup</programlisting>
- <para>If you have a LAN behind this firewall and have to forward
- packets for the computers on the LAN or want to do NAT, you
- will need the following option as well:</para>
+ <para>If there is a LAN behind the firewall and packets need to
+ be forwarded for the computers on the LAN, or NAT is required,
+ add the following option:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting>
</sect2>
@@ -363,40 +336,40 @@ pflog_flags="" # additi
<sect2>
<title>Creating Filtering Rules</title>
- <para><acronym>PF</acronym> reads its configuration rules from
- &man.pf.conf.5; (<filename>/etc/pf.conf</filename> by
- default) and it modifies, drops, or passes packets according
- to the rules or definitions specified there. The &os;
- installation includes several sample files located in
- <filename>/usr/share/examples/pf/</filename>. Please refer
- to the <ulink url="http://www.openbsd.org/faq/pf/">PF
- FAQ</ulink> for complete coverage of <acronym>PF</acronym>
- rulesets.</para>
+ <para>By default, <acronym>PF</acronym> reads its configuration
+ rules from <filename>/etc/pf.conf</filename> and modifies,
+ drops, or passes packets according to the rules or definitions
+ specified in this file. The &os; installation includes
+ several sample files located in
+ <filename>/usr/share/examples/pf/</filename>. Refer to the
+ <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink> for
+ complete coverage of <acronym>PF</acronym> rulesets.</para>
<warning>
- <para>When browsing the <ulink
- url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>,
- please keep in mind that different versions of &os; can
- contain different versions of PF. Currently,
- &os; 8.<replaceable>X</replaceable> and prior is
- using the same version of <acronym>PF</acronym> as
+ <para>When reading the <ulink
+ url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>,
+ keep in mind that different versions of &os; contain
+ different versions of PF. Currently,
+ &os; 8.<replaceable>X</replaceable> and prior is using
+ the same version of <acronym>PF</acronym> as
OpenBSD 4.1. &os; 9.<replaceable>X</replaceable>
and later is using the same version of <acronym>PF</acronym>
as OpenBSD 4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
- configuring and running the <acronym>PF</acronym>
- firewall. Do not forget to check the mailing list archives
- before asking questions!</para>
+ configuring and running the <acronym>PF</acronym> firewall.
+ Do not forget to check the mailing list archives before asking
+ questions.</para>
</sect2>
<sect2>
<title>Working with PF</title>
- <para>Use &man.pfctl.8; to control <acronym>PF</acronym>. Below
- are some useful commands (be sure to review the &man.pfctl.8;
- man page for all available options):</para>
+ <para>To control <acronym>PF</acronym>, use &man.pfctl.8;.
+ Below are some useful options to this command. Review
+ &man.pfctl.8; for a description of all available
+ options:</para>
<informaltable frame="none" pgwide="1">
<tgroup cols="2">
@@ -411,35 +384,35 @@ pflog_flags="" # additi
<row>
<entry><command>pfctl
<option>-e</option></command></entry>
- <entry>Enable PF</entry>
+ <entry>Enable PF.</entry>
</row>
<row>
<entry><command>pfctl
<option>-d</option></command></entry>
- <entry>Disable PF</entry>
+ <entry>Disable PF.</entry>
</row>
<row>
<entry><command>pfctl <option>-F</option> all
<option>-f</option> /etc/pf.conf</command></entry>
- <entry>Flush all rules (nat, filter, state, table, etc.)
- and reload from the file
- <filename>/etc/pf.conf</filename></entry>
+ <entry>Flush all NAT, filter, state, and table
+ rules and reload
+ <filename>/etc/pf.conf</filename>.</entry>
</row>
<row>
<entry><command>pfctl <option>-s</option> [ rules | nat
state ]</command></entry>
- <entry>Report on the filter rules, nat rules, or state
- table</entry>
+ <entry>Report on the filter rules, NAT rules, or state
+ table.</entry>
</row>
<row>
<entry><command>pfctl <option>-vnf</option>
/etc/pf.conf</command></entry>
<entry>Check <filename>/etc/pf.conf</filename> for
- errors, but do not load ruleset</entry>
+ errors, but do not load ruleset.</entry>
</row>
</tbody>
</tgroup>
@@ -449,11 +422,11 @@ pflog_flags="" # additi
<sect2>
<title>Enabling <acronym>ALTQ</acronym></title>
- <para><acronym>ALTQ</acronym> is only available by compiling
- support for it into the &os; kernel. <acronym>ALTQ</acronym>
- is not supported by all of the available network card drivers.
- Please see the &man.altq.4; manual page for a list of drivers
- that are supported in your release of &os;.</para>
+ <para><acronym>ALTQ</acronym> is only available by compiling its
+ support into the &os; kernel. <acronym>ALTQ</acronym> is not
+ supported by all network card drivers. Refer to &man.altq.4;
+ for a list of drivers that are supported by the release of
+ &os;.</para>
<para>The following kernel options will enable
<acronym>ALTQ</acronym> and add additional
@@ -473,28 +446,27 @@ options ALTQ_NOPCC # Requir
<para><literal>options ALTQ_CBQ</literal> enables
<emphasis>Class Based Queuing</emphasis>
(<acronym>CBQ</acronym>). <acronym>CBQ</acronym>
- allows you to divide a connection's bandwidth into different
+ can be used to divide a connection's bandwidth into different
classes or queues to prioritize traffic based on filter
rules.</para>
<para><literal>options ALTQ_RED</literal> enables
<emphasis>Random Early Detection</emphasis>
(<acronym>RED</acronym>). <acronym>RED</acronym> is
- used to avoid network congestion. <acronym>RED</acronym>
- does this by measuring the length of the queue and comparing
- it to the minimum and maximum thresholds for the queue. If
- the queue is over the maximum all new packets will be dropped.
- True to its name, <acronym>RED</acronym> drops packets from
- different connections randomly.</para>
+ used to avoid network congestion by measuring the length of
+ the queue and comparing it to the minimum and maximum
+ thresholds for the queue. If the queue is over the maximum,
+ all new packets will be dropped. <acronym>RED</acronym> drops
+ packets from different connections randomly.</para>
<para><literal>options ALTQ_RIO</literal> enables
<emphasis>Random Early Detection In and Out</emphasis>.</para>
<para><literal>options ALTQ_HFSC</literal> enables the
<emphasis>Hierarchical Fair Service Curve Packet
- Scheduler</emphasis>. For more information about
- <acronym>HFSC</acronym> see: <ulink
- url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
+ Scheduler</emphasis> <acronym>HFSC</acronym>. For more
+ information, refer to <ulink
+ url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
<para><literal>options ALTQ_PRIQ</literal> enables
<emphasis>Priority Queuing</emphasis>
@@ -517,51 +489,46 @@ options ALTQ_NOPCC # Requir
<secondary>IPFILTER</secondary>
</indexterm>
- <para>The author of IPFILTER is Darren Reed. IPFILTER is not
- operating system dependent: it is an open source application and
+ <para>IPFILTER is a cross-platform, open source firewall which
has been ported to &os;, NetBSD, OpenBSD, &sunos;, HP/UX, and
- &solaris; operating systems. IPFILTER is actively being
- supported and maintained, with updated versions being released
- regularly.</para>
+ &solaris; operating systems.</para>
<para>IPFILTER is based on a kernel-side firewall and
<acronym>NAT</acronym> mechanism that can be controlled and
monitored by userland interface programs. The firewall rules
- can be set or deleted with the &man.ipf.8; utility. The
- <acronym>NAT</acronym> rules can be set or deleted with the
- &man.ipnat.8; utility. The &man.ipfstat.8; utility can print
- run-time statistics for the kernel parts of IPFILTER. The
- &man.ipmon.8; program can log IPFILTER actions to the system
- log files.</para>
+ can be set or deleted using &man.ipf.8;. The
+ <acronym>NAT</acronym> rules can be set or deleted using
+ &man.ipnat.8;. Run-time statistics for the kernel parts of
+ IPFILTER can be printed using &man.ipfstat.8;. To log IPFILTER
+ actions to the system log files, use &man.ipmon.8;.</para>
<para>IPF was originally written using a rule processing logic
- of <quote>the last matching rule wins</quote> and used only
- stateless type of rules. Over time IPF has been enhanced to
- include a <quote>quick</quote> option and a stateful
- <quote>keep state</quote> option which drastically modernized
- the rules processing logic. IPF's official documentation covers
- only the legacy rule coding parameters and rule file processing
- logic. The modernized functions are only included as additional
- options, completely understating their benefits in producing
- a far superior and more secure firewall.</para>
+ of <quote>the last matching rule wins</quote> and only used
+ stateless rules. Over time, IPF has been enhanced to include a
+ <quote>quick</quote> option and a stateful
+ <quote>keep state</quote> option which modernized the rules
+ processing logic. IPF's official documentation covers only the
+ legacy rule coding parameters and rule file processing logic and
+ the modernized functions are only included as additional
+ options.</para>
<para>The instructions contained in this section are based on
- using rules that contain the <quote>quick</quote> option and the
- stateful <quote>keep state</quote> option. This is the basic
- framework for coding an inclusive firewall ruleset.</para>
-
- <para>For detailed explanation of the legacy rules processing
- method see: <ulink
- url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>
+ using rules that contain <quote>quick</quote> and
+ <quote>keep state</quote> as these provide the basic framework
+ for configuring an inclusive firewall ruleset.</para>
+
+ <para>For a detailed explanation of the legacy rules processing
+ method, refer to <ulink
+ url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>
and <ulink
- url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
+ url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
<para>The IPF FAQ is at <ulink
- url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
+ url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
- <para>A searchable archive of the open-source IPFilter mailing
- list is available at <ulink
- url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
+ <para>A searchable archive of the IPFilter mailing list is
+ available at <ulink
+ url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
<sect2>
<title>Enabling IPF</title>
@@ -572,17 +539,15 @@ options ALTQ_NOPCC # Requir
<secondary>enabling</secondary>
</indexterm>
- <para>IPF is included in the basic &os; install as a separate
- run time loadable module. The system will dynamically load
- the IPF kernel loadable module when the
- <filename>rc.conf</filename> statement
- <literal>ipfilter_enable="YES"</literal> is used. The
- loadable module was created with logging enabled and the
- <literal>default pass all</literal> options. There is no
- need to compile IPF into the &os; kernel just to change the
- default to <literal>block all</literal>. This can be done
- just by adding a <literal>block all</literal> rule at the
- end of your ruleset.</para>
+ <para>IPF is included in the basic &os; install as a kernel
+ loadable module. The system will dynamically load
+ this module at boot time when
+ <varname>ipfilter_enable="YES"</varname> is added to
+ <filename>rc.conf</filename>. The module enables logging and
+ <literal>default pass all</literal>. To change the
+ default to <literal>block all</literal>, add a
+ <literal>block all</literal> rule at the end of the
+ ruleset.</para>
</sect2>
<sect2>
@@ -612,15 +577,10 @@ options ALTQ_NOPCC # Requir
<secondary>kernel options</secondary>
</indexterm>
- <para>It is not a mandatory requirement to enable IPF by
- compiling the following options into the &os; kernel. It is
- only presented here as background information. Compiling IPF
- into the kernel causes the loadable module to never be
- used.</para>
-
- <para>Sample kernel config IPF option statements are in the
- <filename>/usr/src/sys/conf/NOTES</filename> kernel source
- and are reproduced here:</para>
+ <para>For users who prefer to statically compile IPF support
+ into a custom kernel, the following IPF option statements,
+ listed in <filename>/usr/src/sys/conf/NOTES</filename>, are
+ available:</para>
<programlisting>options IPFILTER
options IPFILTER_LOG
@@ -629,15 +589,14 @@ options IPFILTER_DEFAULT_BLOCK</programl
<para><literal>options IPFILTER</literal> enables support for
the <quote>IPFILTER</quote> firewall.</para>
- <para><literal>options IPFILTER_LOG</literal> enables the option
- to have IPF log traffic by writing to the
- <devicename>ipl</devicename> packet logging
+ <para><literal>options IPFILTER_LOG</literal> enables IPF
+ logging using the <devicename>ipl</devicename> packet logging
pseudo—device for every rule that has the
<literal>log</literal> keyword.</para>
<para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
- the default behavior so any packet not matching a firewall
- <literal>pass</literal> rule gets blocked.</para>
+ the default behavior so that any packet not matching a
+ firewall <literal>pass</literal> rule gets blocked.</para>
<para>These settings will take effect only after installing a
kernel that has been built with the above options set.</para>
@@ -657,9 +616,9 @@ ipmon_flags="-Ds" # D =
# v = log tcp window, ack, seq
# n = map IP & port to names</programlisting>
- <para>If there is a LAN behind this firewall that uses the
- reserved private IP address ranges, the following lines will
- have to be added to enable <acronym>NAT</acronym>
+ <para>If there is a LAN behind the firewall that uses the
+ reserved private IP address ranges, the following lines have
+ to be added to enable <acronym>NAT</acronym>
functionality:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway
@@ -672,36 +631,36 @@ ipnat_rules="/etc/ipnat.rules" # rule
<indexterm><primary><command>ipf</command></primary></indexterm>
- <para>The &man.ipf.8; command is used to load your ruleset file.
- Your custom rules would normally be placed in a file, and the
- following command could then be used to replace in mass the
- currently running firewall rules:</para>
+ <para>To load the ruleset file, use &man.ipf.8;. Custom rules
+ are normally placed in a file, and the following command can
+ be used to replace the currently running firewall
+ rules:</para>
<screen>&prompt.root; <userinput>ipf -Fa -f /etc/ipf.rules</userinput></screen>
- <para><option>-Fa</option> means flush all internal rules
+ <para><option>-Fa</option> flushes all the internal rules
tables.</para>
- <para><option>-f</option> means this is the file to read for
- the rules to load.</para>
+ <para><option>-f</option> specifies the file containing the
+ rules to load.</para>
- <para>This gives you the ability to make changes to your custom
+ <para>This provides the ability to make changes to a custom
rules file, run the above IPF command, and thus update the
- running firewall with a fresh copy of all the rules without
- having to reboot the system. This method is very convenient
- for testing new rules as the procedure can be executed as many
- times as needed.</para>
-
- <para>See the &man.ipf.8; manual page for details on the other
- flags available with this command.</para>
-
- <para>The &man.ipf.8; command expects the rules file to be a
- standard text file. It will not accept a rules file written
- as a script with symbolic substitution.</para>
+ running firewall with a fresh copy of the rules without having
+ to reboot the system. This method is convenient for testing
+ new rules as the procedure can be executed as many times as
+ needed.</para>
+
+ <para>Refer to &man.ipf.8; for details on the other flags
+ available with this command.</para>
+
+ <para>&man.ipf.8; expects the rules file to be a standard text
+ file. It will not accept a rules file written as a script
+ with symbolic substitution.</para>
- <para>There is a way to build IPF rules that utilizes the power
+ <para>There is a way to build IPF rules that utilize the power
of script symbolic substitution. For more information, see
- <xref linkend="firewalls-ipf-rules-script"/>.</para>
+ <link linkend="firewalls-ipf-rules-script"></link>.</para>
</sect2>
<sect2>
@@ -717,15 +676,15 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>The default behavior of &man.ipfstat.8; is to retrieve
and display the totals of the accumulated statistics gathered
- as a result of applying the user coded rules against packets
- going in and out of the firewall since it was last started,
- or since the last time the accumulators were reset to zero
- using <command>ipf -Z</command>.</para>
+ by applying the rules against packets going in and out of the
+ firewall since it was last started, or since the last time the
+ accumulators were reset to zero using <command>ipf
+ -Z</command>.</para>
- <para>See the &man.ipfstat.8; manual page for details.</para>
+ <para>Refer to &man.ipfstat.8; for details.</para>
- <para>The default &man.ipfstat.8; command output will look
- something like this:</para>
+ <para>The default &man.ipfstat.8; output will look something
+ like this:</para>
<screen>input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
@@ -751,10 +710,10 @@ ipnat_rules="/etc/ipnat.rules" # rule
installed and in use by the kernel.</para>
<para><command>ipfstat -in</command> displays the inbound
- internal rules table with rule number.</para>
+ internal rules table with rule numbers.</para>
<para><command>ipfstat -on</command> displays the outbound
- internal rules table with the rule number.</para>
+ internal rules table with rule numbers.</para>
<para>The output will look something like this:</para>
@@ -776,16 +735,15 @@ ipnat_rules="/etc/ipnat.rules" # rule
354727 block out on dc0 from any to any
430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
- <para>One of the most important functions of
- <command>ipfstat</command> is the <option>-t</option>
- flag which displays the state table in a way similar to the
- way &man.top.1; shows the &os; running process table. When
- your firewall is under attack, this function gives you the
- ability to identify, drill down to, and see the attacking
- packets. The optional sub-flags give the ability to select
- the destination or source IP, port, or protocol that you want
- to monitor in real time. See the &man.ipfstat.8; manual page
- for details.</para>
+ <para>One of the most important options of
+ <command>ipfstat</command> is <option>-t</option> which
+ displays the state table in a way similar to how &man.top.1;
+ shows the &os; running process table. When a firewall is
+ under attack, this function provides the ability to identify
+ and see the attacking packets. The optional sub-flags give
+ the ability to select the destination or source IP, port, or
+ protocol to be monitored in real time. Refer to
+ &man.ipfstat.8; for details.</para>
</sect2>
<sect2>
@@ -801,55 +759,51 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>In order for <command>ipmon</command> to work properly,
the kernel option <literal>IPFILTER_LOG</literal> must be
- turned on. This command has two different modes that it can
- be used in. Native mode is the default mode when the command
- is typed on the command line without the <option>-D</option>
- flag.</para>
-
- <para>Daemon mode is for when a continuous
- system log file is desired, so that logging of past events
- may be reviewed. This is how &os; and IPFILTER are configured
- to work together. &os; has a built in facility to
- automatically rotate system logs. That is why outputting the
- log information to &man.syslogd.8; is better than the default
- of outputting to a regular file. In the default
- <filename>rc.conf</filename>, the
- <literal>ipmon_flags</literal> statement uses the
- <option>-Ds</option> flags:</para>
+ turned on. This command has two different modes. Native mode
+ is the default mode when the command is used without
+ <option>-D</option>.</para>
+
+ <para>Daemon mode provides a continuous system log file so that
+ logging of past events may be reviewed. &os; has a built in
+ facility to automatically rotate system logs. This is why
+ outputting the log information to &man.syslogd.8; is better
+ than the default of outputting to a regular file. The default
+ <filename>rc.conf</filename>
+ <literal>ipmon_flags</literal> statement uses
+ <option>-Ds</option>:</para>
<programlisting>ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
# v = log tcp window, ack, seq
# n = map IP & port to names</programlisting>
- <para>The benefits of logging are obvious. It provides the
- ability to review, after the fact, information such as which
- packets had been dropped, what addresses they came from and
- where they were going. These can all provide a significant
- edge in tracking down attackers.</para>
+ <para>Logging provides the ability to review, after the fact,
+ information such as which packets were dropped, what addresses
+ they came from and where they were going. These can all
+ provide a significant edge in tracking down attackers.</para>
<para>Even with the logging facility enabled, IPF will not
- generate any rule logging on its own. The firewall
- administrator decides what rules in the ruleset he wants to
- log and adds the log keyword to those rules. Normally only
- deny rules are logged.</para>
-
- <para>It is very customary to include a default deny everything
- rule with the log keyword included as your last rule in the
- ruleset. This makes it possible to see all the packets that
- did not match any of the rules in the ruleset.</para>
+ generate any rule logging by default. The firewall
+ administrator decides which rules in the ruleset should be
+ logged and adds the log keyword to those rules. Normally,
+ only deny rules are logged.</para>
+
+ <para>It is customary to include a <quote>default deny
+ everything</quote> rule with the log keyword included as the
+ last rule in the ruleset. This makes it possible to see all
+ the packets that did not match any of the rules in the
+ ruleset.</para>
</sect2>
<sect2>
<title>IPMON Logging</title>
- <para><application>Syslogd</application> uses its own special
- method for segregation of log data. It uses special groupings
- called <quote>facility</quote> and <quote>level</quote>.
- IPMON in <option>-Ds</option> mode uses
- <literal>local0</literal> as the <quote>facility</quote>
- name by default. The following levels can be used to further
- segregate the logged data if desired:</para>
+ <para>&man.syslogd.8; uses its own method for segregation of log
+ data. It uses groupings called <quote>facility</quote> and
+ <quote>level</quote>. By default, IPMON in
+ <option>-Ds</option> mode uses <literal>local0</literal> as
+ the <quote>facility</quote> name. The following levels can be
+ used to further segregate the logged data:</para>
<screen>LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
@@ -858,37 +812,31 @@ LOG_ERR - packets which have been logged
<!-- XXX: "can be considered short" == "with incomplete header" -->
- <para>To setup IPFILTER to log all data to
- <filename>/var/log/ipfilter.log</filename>, the file will
- need to be created beforehand. The following command will
- do that:</para>
+ <para>In order to setup IPFILTER to log all data to
+ <filename>/var/log/ipfilter.log</filename>, first
+ create the empty file:</para>
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
- <para>The &man.syslogd.8; function is controlled by definition
- statements in <filename>/etc/syslog.conf</filename>.
- This file offers considerable
- flexibility in how <application>syslog</application> will
- deal with system messages issued by software applications
- like IPF.</para>
+ <para>&man.syslogd.8; is controlled by definition statements in
+ <filename>/etc/syslog.conf</filename>. This file offers
+ considerable flexibility in how
+ <application>syslog</application> will deal with system
+ messages issued by software applications like IPF.</para>
- <para>Add the following statement to
+ <para>To write all logged messages to the specified file,
+ add the following statement to
<filename>/etc/syslog.conf</filename>:</para>
<programlisting>local0.* /var/log/ipfilter.log</programlisting>
- <para>The <literal>local0.*</literal>
- means to write all the logged messages to the coded
- file location.</para>
-
- <para>To activate the changes to <filename>/etc/syslog.conf
- </filename> you can reboot or bump the &man.syslogd.8;
- daemon into re-reading <filename>/etc/syslog.conf</filename>
- by running <command>service syslogd reload</command></para>
+ <para>To activate the changes and instruct &man.syslogd.8;
+ to read the modified <filename>/etc/syslog.conf</filename>,
+ run <command>service syslogd reload</command>.</para>
<para>Do not forget to change
<filename>/etc/newsyslog.conf</filename> to rotate the new
- log created above.</para>
+ log file.</para>
</sect2>
<sect2>
@@ -906,16 +854,16 @@ LOG_ERR - packets which have been logged
<listitem>
<para>The time of packet receipt. This is in the form
HH:MM:SS.F, for hours, minutes, seconds, and fractions
- of a second (which can be several digits long).</para>
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-head
mailing list