svn commit: r52831 - head/en_US.ISO8859-1/books/handbook/firewalls
Chris Rees
crees at FreeBSD.org
Tue Feb 26 21:17:44 UTC 2019
Author: crees
Date: Tue Feb 26 21:17:43 2019
New Revision: 52831
URL: https://svnweb.freebsd.org/changeset/doc/52831
Log:
Document kernel compile options for ipfw
Introduce a dedicated interface
Use sysrc
Submitted by: f.toscan at hotmail.it
Reviewed by: bcr
Differential Revision: https://reviews.freebsd.org/D18484
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sun Feb 24 20:31:15 2019 (r52830)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 26 21:17:43 2019 (r52831)
@@ -1329,7 +1329,7 @@ rdr pass on $ext_if inet proto tcp from !<spamd-whi
<para>The two tables <literal><spamd></literal> and
<literal><spamd-white></literal> are essential.
<acronym>SMTP</acronym> traffic from an address listed
- in<literal> <spamd></literal> but not in
+ in <literal><spamd></literal> but not in
<literal><spamd-white></literal> is redirected to
the <application>spamd</application> daemon listening at
port 8025.</para>
@@ -1623,52 +1623,21 @@ block drop out quick on $ext_if from any to $martians<
custom kernel is not needed in order to enable
<application>IPFW</application>.</para>
- <indexterm>
- <primary>kernel options</primary>
-
- <secondary>IPFIREWALL</secondary>
- </indexterm>
-
- <indexterm>
- <primary>kernel options</primary>
-
- <secondary>IPFIREWALL_VERBOSE</secondary>
- </indexterm>
-
- <indexterm>
- <primary>kernel options</primary>
-
- <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
- </indexterm>
-
- <indexterm>
- <primary><application>IPFW</application></primary>
-
- <secondary>kernel options</secondary>
- </indexterm>
-
<para>For those users who wish to statically compile
<application>IPFW</application> support into a custom kernel,
- refer to the instructions in <xref linkend="kernelconfig"/>.
- The following options are available for the
- custom kernel configuration file:</para>
+ see <xref linkend="firewalls-ipfw-kernelconfig"/>.</para>
- <programlisting>options IPFIREWALL # enables IPFW
-options IPFIREWALL_VERBOSE # enables logging for rules with log keyword
-options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
-options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
-options IPDIVERT # enables NAT</programlisting>
-
<para>To configure the system to enable
- <application>IPFW</application> at boot time, add the
- following entry to <filename>/etc/rc.conf</filename>:</para>
+ <application>IPFW</application> at boot time, add
+ <literal>firewall_enable="YES"</literal> to
+ <filename>/etc/rc.conf</filename>:</para>
- <programlisting>firewall_enable="YES"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_enable="YES"</userinput></screen>
<para>To use one of the default firewall types provided by &os;,
add another line which specifies the type:</para>
- <programlisting>firewall_type="open"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_type="open"</userinput></screen>
<para>The available types are:</para>
@@ -1720,19 +1689,36 @@ options IPDIVERT # enables NAT</programlisting>
<literal>firewall_script</literal> is set to
<filename>/etc/ipfw.rules</filename>:</para>
- <programlisting>firewall_script="/etc/ipfw.rules"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_script="/etc/ipfw.rules"</userinput></screen>
- <para>To enable logging, include this line:</para>
+ <para>To enable logging through &man.syslogd.8;, include this
+ line:</para>
- <programlisting>firewall_logging="YES"</programlisting>
+ <screen>&prompt.root; <userinput>sysrc firewall_logging="YES"</userinput></screen>
<para>There is no <filename>/etc/rc.conf</filename> variable to
set logging limits. To limit the number of times a rule is
logged per connection attempt, specify the number using this
line in <filename>/etc/sysctl.conf</filename>:</para>
- <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
+ <screen>&prompt.root; <userinput>sysrc -f /etc/sysctl.conf net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
+ <para>To enable logging through a dedicated interface named
+ <literal>ipfw0</literal>, add this line to
+ <filename>/etc/rc.conf</filename> instead:</para>
+
+ <screen>&prompt.root; <userinput>sysrc firewall_logif="YES"</userinput></screen>
+
+ <para>Then use <application>tcpdump</application> to see what is
+ being logged:</para>
+
+ <screen>&prompt.root; <userinput>tcpdump -t -n -i ipfw0</userinput></screen>
+
+ <tip>
+ <para>There is no overhead due to logging unless
+ <application>tcpdump</application> is attached.</para>
+ </tip>
+
<para>After saving the needed edits, start the firewall. To
enable logging limits now, also set the
<command>sysctl</command> value specified above:</para>
@@ -2257,7 +2243,7 @@ good_tcpo="22,25,37,53,80,443,110"</programlisting>
$cmd 130 $skip icmp from any to any out via $pif $ks</programlisting>
<para>The inbound rules remain the same, except for the very
- last rule which removes the <literal> via $pif</literal> in
+ last rule which removes the <literal>via $pif</literal> in
order to catch both inbound and outbound rules. The
<acronym>NAT</acronym> rule must follow this last outbound
rule, must have a higher number than that last rule, and the
@@ -2609,6 +2595,55 @@ ks="keep-state" # just too lazy to key this eac
&prompt.root; <userinput>ipfw -q add allow tcp from any to 192.0.2.11 53 out via tun0 setup keep-state</userinput>
&prompt.root; <userinput>ipfw -q add 00611 allow udp from any to 192.0.2.11 53 out via tun0 keep-state</userinput></screen>
</sect3>
+ </sect2>
+
+ <sect2 xml:id="firewalls-ipfw-kernelconfig">
+ <title><application>IPFW</application> Kernel Options</title>
+
+ <indexterm>
+ <primary>kernel options</primary>
+
+ <secondary>IPFIREWALL</secondary>
+ </indexterm>
+
+ <indexterm>
+ <primary>kernel options</primary>
+
+ <secondary>IPFIREWALL_VERBOSE</secondary>
+ </indexterm>
+
+ <indexterm>
+ <primary>kernel options</primary>
+
+ <secondary>IPFIREWALL_VERBOSE_LIMIT</secondary>
+ </indexterm>
+
+ <indexterm>
+ <primary><application>IPFW</application></primary>
+
+ <secondary>kernel options</secondary>
+ </indexterm>
+ <para>In order to statically compile
+ <application>IPFW</application> support into a custom kernel,
+ refer to the instructions in <xref linkend="kernelconfig"/>.
+ The following options are available for the
+ custom kernel configuration file:</para>
+
+ <programlisting>options IPFIREWALL # enables IPFW
+options IPFIREWALL_VERBOSE # enables logging for rules with log keyword to syslogd(8)
+options IPFIREWALL_VERBOSE_LIMIT=5 # limits number of logged packets per-entry
+options IPFIREWALL_DEFAULT_TO_ACCEPT # sets default policy to pass what is not explicitly denied
+options IPFIREWALL_NAT # enables in-kernel NAT support
+options IPFIREWALL_NAT64 # enables in-kernel NAT64 support
+options IPFIREWALL_NPTV6 # enables in-kernel IPv6 NPT support
+options IPFIREWALL_PMOD # enables protocols modification module support
+options IPDIVERT # enables NAT through natd(8)</programlisting>
+
+ <note>
+ <para><application>IPFW</application> can be loaded as
+ a kernel module: options above are built by default
+ as modules or can be set at runtime using tunables.</para>
+ </note>
</sect2>
</sect1>
More information about the svn-doc-head
mailing list