svn commit: r44139 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Wed Mar 5 20:28:47 UTC 2014
Author: dru
Date: Wed Mar 5 20:28:46 2014
New Revision: 44139
URL: http://svnweb.freebsd.org/changeset/doc/44139
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Mar 5 20:11:16 2014 (r44138)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Wed Mar 5 20:28:46 2014 (r44139)
@@ -1735,13 +1735,13 @@ options IPDIVERT # enables NAT</pro
logged per connection attempt, specify the number using this
line in <filename>/etc/sysctl.conf</filename>:</para>
- <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
+ <programlisting>net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></programlisting>
- <para>After saving the needed edits, start the firewall. To
- enable logging limits now, also set the
- <command>sysctl</command> value specified above:</para>
+ <para>After saving the needed edits, start the firewall. To
+ enable logging limits now, also set the
+ <command>sysctl</command> value specified above:</para>
- <screen>&prompt.root; <userinput>service ipfw start</userinput>
+ <screen>&prompt.root; <userinput>service ipfw start</userinput>
&prompt.root; <userinput>sysctl net.inet.ip.fw.verbose_limit=<replaceable>5</replaceable></userinput></screen>
</sect2>
@@ -1854,8 +1854,8 @@ options IPDIVERT # enables NAT</pro
<literal>limit</literal> rule.</para>
<para><parameter>count</parameter>: updates counters for
- all packets that match the rule. The search continues with
- the next rule.</para>
+ all packets that match the rule. The search continues
+ with the next rule.</para>
<para><parameter>deny | drop</parameter>: either word
silently discards packets that match this rule.</para>
@@ -2157,16 +2157,17 @@ pif="dc0" # interface name of NIC at
<application>IPFW</application> to provide network address
translation. This can be used to provide an Internet
Connection Sharing solution so that several internal computers
- can connect to the Internet using a single <acronym>IP</acronym>
- address.</para>
+ can connect to the Internet using a single
+ <acronym>IP</acronym> address.</para>
<para>To do this, the &os; machine connected to the Internet
must act as a gateway. This system must have two
- <acronym>NIC</acronym>s, where one is connected to the Internet
- and the other is connected to the internal <acronym>LAN</acronym>. Each
- machine connected to the <acronym>LAN</acronym> should be assigned
- an <acronym>IP</acronym> address in the private network space,
- as defined by <link
+ <acronym>NIC</acronym>s, where one is connected to the
+ Internet and the other is connected to the internal
+ <acronym>LAN</acronym>. Each machine connected to the
+ <acronym>LAN</acronym> should be assigned an
+ <acronym>IP</acronym> address in the private network space, as
+ defined by <link
xlink:href="ftp://ftp.isi.edu/in-notes/rfc1918.txt">RFC
1918</link>, and have the default gateway set to the
&man.natd.8; system's internal <acronym>IP</acronym>
@@ -2177,11 +2178,11 @@ pif="dc0" # interface name of NIC at
<application>IPFW</application>. If the system has a custom
kernel, the kernel configuration file needs to include
<literal>option IPDIVERT</literal> along with the other
- <literal>IPFIREWALL</literal> options described in <xref linkend="firewalls-ipfw-enable"/>.</para>
+ <literal>IPFIREWALL</literal> options described in <xref
+ linkend="firewalls-ipfw-enable"/>.</para>
- <para>To enable <acronym>NAT</acronym> support at
- boot time, the following must be in
- <filename>/etc/rc.conf</filename>:</para>
+ <para>To enable <acronym>NAT</acronym> support at boot time, the
+ following must be in <filename>/etc/rc.conf</filename>:</para>
<programlisting>gateway_enable="YES" # enables the gateway
natd_enable="YES" # enables <acronym>NAT</acronym>
@@ -2189,14 +2190,13 @@ natd_interface="rl0" # specify interfac
natd_flags="-dynamic -m" # -m = preserve port numbers; additional options are listed in &man.natd.8;</programlisting>
<note>
- <para>It is also possible to specify a configuration file which
- contains the options to pass to &man.natd.8;:</para>
+ <para>It is also possible to specify a configuration file
+ which contains the options to pass to &man.natd.8;:</para>
<programlisting>natd_flags="-f /etc/natd.conf"</programlisting>
<para>The specified file must contain a list of configuration
- options, one per line. For
- example:</para>
+ options, one per line. For example:</para>
<programlisting>redirect_port tcp 192.168.0.2:6667 6667
redirect_port tcp 192.168.0.3:80 80</programlisting>
@@ -2207,21 +2207,19 @@ redirect_port tcp 192.168.0.3:80 80</pro
<para>Next, add the <acronym>NAT</acronym> rules to the firewall
ruleset. When the rulest contains stateful rules, the
- positioning of the <acronym>NAT</acronym> rules is
- critical and the <literal>skipto</literal> action is used.
- The
- <literal>skipto</literal> action requires a rule number
- so that it knows
- which rule to jump to.</para>
+ positioning of the <acronym>NAT</acronym> rules is critical
+ and the <literal>skipto</literal> action is used. The
+ <literal>skipto</literal> action requires a rule number so
+ that it knows which rule to jump to.</para>
<para>The following example builds upon the firewall ruleset
shown in the previous section. It adds some additional
entries and modifies some existing rules in order to configure
- the firewall for <acronym>NAT</acronym>. It starts by
- adding some additional variables which represent the rule
- number to skip to, the <literal>keep-state</literal> option,
- and a list of <acronym>TCP</acronym> ports which will be
- used to reduce the number of rules:</para>
+ the firewall for <acronym>NAT</acronym>. It starts by adding
+ some additional variables which represent the rule number to
+ skip to, the <literal>keep-state</literal> option, and a list
+ of <acronym>TCP</acronym> ports which will be used to reduce
+ the number of rules:</para>
<programlisting>#!/bin/sh
ipfw -q -f flush
@@ -2264,13 +2262,13 @@ good_tcpo="22,25,37,53,80,443,110"</prog
<para>The inbound rules remain the same, except for the very
last rule which removes the <literal> via $pif</literal> in
- order to catch both inbound and outbound rules. The
+ order to catch both inbound and outbound rules. The
<acronym>NAT</acronym> rule must follow this last outbound
rule, must have a higher number than that last rule, and the
rule number must be referenced by the
- <literal>skipto</literal> action. In this ruleset,
- rule number <literal>500</literal> diverts all
- packets which match the outbound rules to &man.natd.8; for
+ <literal>skipto</literal> action. In this ruleset, rule
+ number <literal>500</literal> diverts all packets which match
+ the outbound rules to &man.natd.8; for
<acronym>NAT</acronym> processing. The next rule allows any
packet which has undergone <acronym>NAT</acronym> processing
to pass.</para>
@@ -2281,43 +2279,47 @@ good_tcpo="22,25,37,53,80,443,110"</prog
<para>In this example, rules <literal>100</literal>,
<literal>101</literal>, <literal>125</literal>,
- <literal>500</literal>, and <literal>510</literal>
- control the address translation of the outbound and inbound packets
- so that the entries in the dynamic state table always
- register the private <acronym>LAN</acronym>
- <acronym>IP</acronym> address.</para>
+ <literal>500</literal>, and <literal>510</literal> control the
+ address translation of the outbound and inbound packets so
+ that the entries in the dynamic state table always register
+ the private <acronym>LAN</acronym> <acronym>IP</acronym>
+ address.</para>
- <para>Consider an internal web browser which initializes a new outbound <acronym>HTTP</acronym>
- session over port 80. When the first outbound packet enters
- the firewall, it does not match rule <literal>100</literal> because it is
- headed out rather than in. It passes rule <literal>101</literal> because this
- is the first packet and it has not been posted to the
- dynamic state table yet. The packet finally matches
- rule <literal>125</literal> as it is outbound on an allowed port
- and has a source <acronym>IP</acronym> address from the internal <acronym>LAN</acronym>.
- On matching this rule, two actions take place.
- First, the <literal>keep-state</literal> action adds an entry to the dynamic
- state table and the specified action, <literal>skipto rule 500</literal>, is executed.
- Next, the packet undergoes <acronym>NAT</acronym> and
- is sent out to the Internet. This packet makes its way to
+ <para>Consider an internal web browser which initializes a new
+ outbound <acronym>HTTP</acronym> session over port 80. When
+ the first outbound packet enters the firewall, it does not
+ match rule <literal>100</literal> because it is headed out
+ rather than in. It passes rule <literal>101</literal> because
+ this is the first packet and it has not been posted to the
+ dynamic state table yet. The packet finally matches rule
+ <literal>125</literal> as it is outbound on an allowed port
+ and has a source <acronym>IP</acronym> address from the
+ internal <acronym>LAN</acronym>. On matching this rule, two
+ actions take place. First, the <literal>keep-state</literal>
+ action adds an entry to the dynamic state table and the
+ specified action, <literal>skipto rule 500</literal>, is
+ executed. Next, the packet undergoes <acronym>NAT</acronym>
+ and is sent out to the Internet. This packet makes its way to
the destination web server, where a response packet is
generated and sent back. This new packet enters the top of
- the ruleset. It matches rule <literal>100</literal> and has it destination <acronym>IP</acronym>
- address mapped back to the original internal address. It
- then is processed by the <literal>check-state</literal>
- rule, is found in the table as an existing session, and is
- released to the <acronym>LAN</acronym>.</para>
-
- <para>On the inbound side, the ruleset has
- to deny bad packets and allow only authorized services.
- A packet which matches an inbound rule
- is posted
- to the dynamic state table and the packet is released to the
- <acronym>LAN</acronym>. The packet generated as a response is recognized by the
- <literal>check-state</literal> rule as belonging to an existing
- session. It is then sent to rule <literal>500</literal> to undergo
+ the ruleset. It matches rule <literal>100</literal> and has
+ it destination <acronym>IP</acronym> address mapped back to
+ the original internal address. It then is processed by the
+ <literal>check-state</literal> rule, is found in the table as
+ an existing session, and is released to the
+ <acronym>LAN</acronym>.</para>
+
+ <para>On the inbound side, the ruleset has to deny bad packets
+ and allow only authorized services. A packet which matches an
+ inbound rule is posted to the dynamic state table and the
+ packet is released to the <acronym>LAN</acronym>. The packet
+ generated as a response is recognized by the
+ <literal>check-state</literal> rule as belonging to an
+ existing session. It is then sent to rule
+ <literal>500</literal> to undergo
<acronym>NAT</acronym> before being released to the outbound
interface.</para>
+
<sect3>
<title>Port Redirection</title>
More information about the svn-doc-head
mailing list