svn commit: r43916 - head/en_US.ISO8859-1/books/handbook/firewalls

From: Dru Lavigne <>
Date: Fri, 14 Feb 2014 01:30:43 +0000 (UTC)
Author: dru
Date: Fri Feb 14 01:30:43 2014
New Revision: 43916

  Finish subsection on enabling PF.
  Comment out pfsync section for now as it is no longer true. At some point
  a section should be adding demonstrating how to use it.
  Sponsored by: iXsystems


Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Fri Feb 14 00:15:36 2014	(r43915)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Fri Feb 14 01:30:43 2014	(r43916)
_at__at_ -232,24 +232,27 _at__at_
       <title>Enabling <application>PF</application></title>
-      <para>In order to use <application>PF</application>, its module must be first
-	loaded.  Add the following line to
+      <para>In order to use <application>PF</application>, its kernel module must be first
+	loaded.  This section describes the entries that can be added
+	to <filename>/etc/rc.conf</filename> in order to enable
+	<application>PF</application>.</para>
+      <para>Start by adding the following line to
-      <para>Additional options can be passed to
-	<application>PF</application> when it is started.  Refer to
-	&man.pfctl.8; for the available options and specify any
-	required flags by
-	adding another entry to <filename>/etc/rc.conf</filename>:</para>
+      <para>Additional options, described in &man.pfctl.8;, can be passed to
+	<application>PF</application> when it is started.  Add this entry to 
+	<filename>/etc/rc.conf</filename> and specify any
+	required flags between the two quotes (<literal>""</literal>):</para>
       <programlisting>pf_flags=""                     # additional flags for pfctl startup</programlisting>
-      <para>The module will not load if it cannot find the
-	ruleset configuration file.  A default ruleset is located
-	<filename>/etc/pf.conf</filename>.  If a custom ruleset is
-	located somewhere else, add a line to
+      <para><application>PF</application> will not start if it cannot find its
+	ruleset configuration file.  The default ruleset is already created and is named
+	<filename>/etc/pf.conf</filename>.  If a custom ruleset has
+	been saved somewhere else, add a line to
 	<filename>/etc/rc.conf</filename> which specifies the full
 	path to the file:</para>
_at__at_ -260,33 +263,35 _at__at_
 	<filename>/usr/share/examples/pf/</filename>.  The rest of
 	this chapter demonstrates how to create a custom ruleset.</para>
-      <para>Then, run the startup script to load the module:</para>
-      <screen>&prompt.root; <userinput>service pf start</userinput></screen>
       <para>Logging support for <application>PF</application> is provided by
-	&man.pflog.4; which can be loaded by adding the
-	following line to <filename>/etc/rc.conf</filename>:</para>
+	&man.pflog.4;.  To enable logging support, add this
+	line to <filename>/etc/rc.conf</filename>:</para>
-      <para>The following &man.rc.conf.5; statements can also be used to
+      <para>The following lines can also be added in order to
 	change the default location of the log file or to specify any
-	additional flags:</para>
+	additional flags to pass to &man.pflog.4; when it is started:</para>
  <programlisting>pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
 pflog_flags=""                  # additional flags for pflogd startup</programlisting>
-      <para>Save the edits, then run the startup script to load the logging module:</para>
-      <screen>&prompt.root; <userinput>service pflog start</userinput></screen>
-      <para>If there is a <acronym>LAN</acronym> behind the firewall and packets need to
+      <para>Finally, if there is a <acronym>LAN</acronym> behind the firewall and packets need to
 	be forwarded for the computers on the <acronym>LAN</acronym>, or <acronym>NAT</acronym> is required,
 	add the following option:</para>
       <programlisting>gateway_enable="YES"            # Enable as LAN gateway</programlisting>
-      <indexterm>
+      <para>After saving the needed edits,
+	<application>PF</application> can be started with logging support by typing:</para>
+      <screen>&prompt.root; <userinput>service pf start</userinput>
+&prompt.root; <userinput>service pflog start</userinput></screen>
+This is no longer true as of 9.x. It also references the CARP section
+which doesn't explain how to use it...At some point it should.
+     <indexterm>
 	<primary>kernel options</primary>
 	<secondary>device pf</secondary>
_at__at_ -304,8 +309,7 _at__at_ pflog_flags=""                  # additi
       <para>While it is not necessary to compile
 	<application>PF</application> support into the &os; kernel,
-	some of PF's advanced features are not included in the
-	loadable module, namely &man.pfsync.4;, which is a
+	some advanced features are not included, namely &man.pfsync.4;, which is a
 	pseudo-device that exposes certain changes to the state table
 	used by <application>PF</application>.  It can be paired with
 	&man.carp.4; to create failover firewalls using
_at__at_ -319,6 +323,8 _at__at_ pflog_flags=""                  # additi
 device pflog
 device pfsync</programlisting>
+      <para>where:</para>
       <para><literal>device pf</literal> enables PF support.</para>
       <para><literal>device pflog</literal> enables the optional
_at__at_ -331,6 +337,7 _at__at_ device pfsync</programlisting>
 	&man.pfsync.4; pseudo-network device that is used to monitor
 	<quote>state changes</quote>.</para>
+    -->
Received on Fri Feb 14 2014 - 01:30:44 UTC