New firewall section (was: Re: HEADS UP: doc/ slush begins)

Max Laier max at love2party.net
Wed Sep 22 01:05:24 UTC 2004 

On Wednesday 22 September 2004 03:01, Max Laier wrote:
> On Wednesday 22 September 2004 00:56, Max Laier wrote:
> > [ Sorry for joining in late or broken references. Have not been on -doc,
> > yet ]
> >
> > On Thursday 01 January 1970 00:59,  wrote:
> > > > Referring to ... http://freebsd.so14k.com/firewall/
> > > >
> > > > Is everyone else happy (doceng/translators) if this were to go in
> > > > before the release?
> >
> > I'd like to put in "a few" more words about pf in terms of FreeBSD
> > (something in the flavor of 14.8.5.1 through 14.8.5.3) I will followup
> > with a writeup of what I have in mind in ~2-4h. Do with it, whatever you
> > feel is appropriate.
> >
> > Great work, please don't let me delay you here! But thanks for
> > considering.
>
> Attached is the updated <sect2> for pf. Just some scribbling, but I guess
> people will still find it usefull to get the grip. Just tell me what you
> think of it and what I can do to help. Thanks!

The mailinglist doesn't seem to like "Type: text/sgml" ... resend, sorry!

-- 
/"\  Best regards,                      | mlaier at freebsd.org
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | mlaier at EFnet
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News
-------------- next part --------------
   <sect2>
      <title>OpenBSD's Packet Filter (PF) firewall</title>
      <para>As of July 2003 the OpenBSD firewall software application
        named PF was ported to &os;. It is part of &os version 5.3 and
        later. PF is a complete, full featured firewall that contains ALTQ
        for bandwidth usage management much the same as dummynet provides in
        IPFW. Of all the &os; firewalls, PF has the best user documentation.
        The OpenBSD project does such an outstanding job of maintaining the
        PF users' guide that it will not be made part of this handbook
        firewall section as that would just be duplicated effort.</para>

      <para>For older 5.x version of &os; you can find PF in the &os; ports
        collection here: <filename
        role="package">security/pf</filename>.</para>

      <para>More info can be found at the PF for &os; web-site:
        <ulink url="http://pf4freebsd.love2party.net/index.html">
        </ulink>.</para>

      <para>The OpenBSD PF user's guide is here:
        <ulink url="http://www.openbsd.org/faq/pf/index.html"></ulink>.
        </para>

      <warning>
	  <para>PF in &os; 5.x is at the level of OpenBSD version 3.5. The
            port from the &os; ports collection at the level of OpenBSD
            version 3.4. Keep that in mind when browsering the user's
            guide.</para>
	</warning>

    <sect3>
      <title>Enabling PF</title>
      <para>PF is included in the basic &os; install for versions newer than
        5.3 as a separate run time loadable module. PF will dynamically load
        its kernel loadable module when the rc.conf statement
        <programlisting> pf_enable="YES"</programlisting> is used. The
        loadable module was created with &man.pflog.4; logging
        enabled.</para>
    </sect3>

    <sect3>
      <title>Kernel options</title>
      <para>It is not a mandatory requirement that you enable PF by
        compiling the following options into the &os; kernel. It is only
        presented here as background information. Compiling PF into the
        kernel causes the loadable module to never be used.  </para>

      <para>Sample kernel config PF option statements are in the
        <filename>/usr/src/sys/conf/NOTES</filename> kernel source and are
        reproduced here.</para>

      <screen>device pf
device pflog
device pfsync</screen>

      <para><programlisting>pf</programlisting> tells the compile to include
        Packet Filter as part of its core kernel.</para>

      <para><programlisting>pflog</programlisting> enables the optional
        &man.pflog.4; pseudo network device which can be used to log traffic
        to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon can be used to
        store the logging information to disk.</para>

      <para><programlisting>pfsync</programlisting> enables the optional
        &man.pfsync.4; pseudo network device that is used to monitor
        <quote>state changes</quote>. As this is not part of the loadable
        module one has to build a costum kernel to use it.</para>

      <para>These settings will take affect only after you have built and
        installed a kernel with them set.</para>
    </sect3>

    <sect3>
      <title>Available rc.conf Options</title>

      <para>You need the follow statements in <filename>/etc/rc.conf
        </filename> to activate PF at boot time.</para>
      <screen>pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl startup
pflog_enable="YES"              # start pflogd(8)
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd startup</screen>

      <para>If you have a LAN behind this firewall and have to forward
        packets for the computers in the LAN or want to do NAT you have to
        enable the following option as well.</para>

      <screen>gateway_enable="YES"            # Enable as Lan gateway</screen>

    </sect3>
   </sect2>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-doc/attachments/20040922/0146bf7d/attachment.sig>

More information about the freebsd-doc mailing list