svn commit: r40948 - head/en_US.ISO8859-1/books/handbook/firewalls

Dru Lavigne dru at FreeBSD.org
Mon Feb 11 15:01:38 UTC 2013


Author: dru
Date: Mon Feb 11 15:01:37 2013
New Revision: 40948
URL: http://svnweb.freebsd.org/changeset/doc/40948

Log:
  This patch addresses the following:
  
  - rewording to remove you, etc., i.e., and references to PPP
  
  - fixes xref
  
  - general tightening, removal of redundant paragraphs, and many fixes to grammos/typos
  
  - a reference to a non-existing logging section was removed
  
  - several comments were addressed and removed
  
  Approved by	gjb (mentor)

Modified:
  head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Mon Feb 11 14:58:34 2013	(r40947)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Mon Feb 11 15:01:37 2013	(r40948)
@@ -36,39 +36,37 @@
   <sect1 id="firewalls-intro">
     <title>Introduction</title>
 
-    <para>Firewalls make it possible to filter incoming and outgoing
-      traffic that flows through your system.  A firewall can use one
-      or more sets of <quote>rules</quote> to inspect the network
-      packets as they come in or go out of your network connections
-      and either allows the traffic through or blocks it.  The rules
-      of a firewall can inspect one or more characteristics of the
-      packets, including but not limited to the protocol type, the
-      source or destination host address, and the source or
-      destination port.</para>
-
-    <para>Firewalls can greatly enhance the security of a host or a
-      network.  They can be used to do one or more of
-      the following things:</para>
+    <para>Firewalls make it possible to filter the incoming and
+      outgoing traffic that flows through a system.  A firewall can
+      use one or more sets of <quote>rules</quote> to inspect network
+      packets as they come in or go out of network connections and
+      either allows the traffic through or blocks it.  The rules of
+      a firewall can inspect one or more characteristics of the
+      packets such as the protocol type, source or destination host
+      address, and source or destination port.</para>
+
+    <para>Firewalls can enhance the security of a host or a network.
+      They can be used to do one or more of the following:</para>
 
     <itemizedlist>
       <listitem>
-	<para>To protect and insulate the applications, services and
-	  machines of your internal network from unwanted traffic
-	  coming in from the public Internet.</para>
+	<para>Protect and insulate the applications, services, and
+	  machines of an internal network from unwanted traffic from
+	  the public Internet.</para>
       </listitem>
 
       <listitem>
-	<para>To limit or disable access from hosts of the internal
+	<para>Limit or disable access from hosts of the internal
 	  network to services of the public Internet.</para>
       </listitem>
 
       <listitem>
-	<para>To support network address translation
-	  (<acronym>NAT</acronym>), which allows your internal network
+	<para>Support network address translation
+	  (<acronym>NAT</acronym>), which allows an internal network
 	  to use private <acronym>IP</acronym> addresses and share a
-	  single connection to the public Internet (either with a
-	  single <acronym>IP</acronym> address or by a shared pool of
-	  automatically assigned public addresses).</para>
+	  single connection to the public Internet using either a
+	  single <acronym>IP</acronym> address or a shared pool of
+	  automatically assigned public addresses.</para>
       </listitem>
     </itemizedlist>
 
@@ -76,27 +74,27 @@
 
     <itemizedlist>
       <listitem>
-	<para>How to properly define packet filtering rules.</para>
+	<para>How to define packet filtering rules.</para>
       </listitem>
 
       <listitem>
-	<para>The differences between the firewalls
-	  built into &os;.</para>
+	<para>The differences between the firewalls built into
+	  &os;.</para>
       </listitem>
 
       <listitem>
-	<para>How to use and configure the OpenBSD
+	<para>How to use and configure the
 	  <application>PF</application> firewall.</para>
       </listitem>
 
       <listitem>
-	<para>How to use and configure
-	  <application>IPFILTER</application>.</para>
+	<para>How to use and configure the
+	  <application>IPFILTER</application> firewall.</para>
       </listitem>
 
       <listitem>
-	<para>How to use and configure
-	  <application>IPFW</application>.</para>
+	<para>How to use and configure the
+	  <application>IPFW</application> firewall.</para>
       </listitem>
     </itemizedlist>
 
@@ -118,81 +116,68 @@
       <secondary>rulesets</secondary>
     </indexterm>
 
-    <para>There are two basic ways to create firewall rulesets:
-      <quote>inclusive</quote> or <quote>exclusive</quote>.  An
+    <para>A firewall ruleset can be either
+      <quote>exclusive</quote> or <quote>inclusive</quote>.  An
       exclusive firewall allows all traffic through except for the
       traffic matching the ruleset.  An inclusive firewall does the
-      reverse.  It only allows traffic matching the rules through and
+      reverse as it only allows traffic matching the rules through and
       blocks everything else.</para>
 
-    <para>An inclusive firewall offers much better control of the
-      outgoing traffic, making it a better choice for systems that
-      offer services to the public Internet.  It also controls the
-      type of traffic originating from the public Internet that can
-      gain access to your private network.  All traffic that does
-      not match the rules, is blocked and logged by design.  Inclusive
-      firewalls are generally safer than exclusive firewalls because
-      they significantly reduce the risk of allowing unwanted traffic
-      to pass through them.</para>
+    <para>An inclusive firewall offers better control of the outgoing
+      traffic, making it a better choice for systems that offer
+      services to the public Internet.  It also controls the type of
+      traffic originating from the public Internet that can gain
+      access to a private network.  All traffic that does not match
+      the rules is blocked and logged.  Inclusive firewalls are
+      generally safer than exclusive firewalls because they
+      significantly reduce the risk of allowing unwanted
+      traffic.</para>
 
     <note>
       <para>Unless noted otherwise, all configuration and example
-	rulesets in this chapter, create inclusive type
-	firewalls.</para>
+	rulesets in this chapter create inclusive firewall
+	rulesets.</para>
     </note>
 
     <para>Security can be tightened further using a <quote>stateful
-	firewall</quote>.  This type of firewall keeps
-      track of which connections are opened through the firewall and
-      will only allow traffic through which either matches an existing
-      connection or opens a new one.  The disadvantage of a stateful
-      firewall is that it can be vulnerable to Denial of Service
-      (<acronym>DoS</acronym>) attacks if a lot of new connections are
-      opened very fast.  With most firewalls it is possible to use a
-      combination of stateful and non-stateful behavior to make an
-      optimal firewall for the site.</para>
+	firewall</quote>.  This type of firewall keeps track of open
+      connections and only allows traffic which either matches an
+      existing connection or opens a new, allowed connection.  The
+      disadvantage of a stateful firewall is that it can be vulnerable
+      to Denial of Service (<acronym>DoS</acronym>) attacks if a lot
+      of new connections are opened very fast.  Most firewalls use a
+      combination of stateful and non-stateful behavior.</para>
   </sect1>
 
   <sect1 id="firewalls-apps">
     <title>Firewall Packages</title>
 
-    <para>&os; has three different firewall packages built
-      into the base system.  They are: <emphasis>IPFILTER</emphasis>
-      (also known as <acronym>IPF</acronym>),
-      <emphasis>IPFIREWALL</emphasis> (also known as
-      <acronym>IPFW</acronym>), and <emphasis>OpenBSD's
-      PacketFilter</emphasis> (also known as <acronym>PF</acronym>).
-      &os; also has two built in packages for traffic shaping
-      (basically controlling bandwidth usage): &man.altq.4; and
-      &man.dummynet.4;.  Dummynet has traditionally been closely
-      tied with <acronym>IPFW</acronym>, and
-      <acronym>ALTQ</acronym> with
-      <acronym>PF</acronym>.  Traffic shaping for IPFILTER can
-      currently be done with IPFILTER for NAT and filtering and
-      <acronym>IPFW</acronym> with &man.dummynet.4;
-      <emphasis>or</emphasis> by using <acronym>PF</acronym> with
-      <acronym>ALTQ</acronym>.
-      IPFW, and PF all use rules to control the access of packets
-      to and from your system, although they go about it different
-      ways and have a different rule syntax.</para>
-
-    <para>The reason that &os; has multiple built in firewall packages
-      is that different people have different requirements and
-      preferences.  No single firewall package is the best.</para>
-
-    <para>The author prefers IPFILTER because its stateful rules are
-      much less complicated to use in a <acronym>NAT</acronym>
-      environment and it has a built in ftp proxy that simplifies the
-      rules to allow secure outbound FTP usage.</para>
+    <para>&os; has three firewalls built into the base system:
+      <emphasis>IPFILTER</emphasis>, also known as
+      <acronym>IPF</acronym>, <emphasis>IPFIREWALL</emphasis>, also
+      known as <acronym>IPFW</acronym>, and <acronym>PF</acronym>).
+      &os; also provides two traffic shapers for controlling bandwidth
+      usage: &man.altq.4; and &man.dummynet.4;.  Dummynet has
+      traditionally been closely tied with <acronym>IPFW</acronym>,
+      and <acronym>ALTQ</acronym> with <acronym>PF</acronym>.  Each
+      firewall uses rules to control the access of packets to and from
+      a &os; system, although they go about it in different ways and
+      each has a different rule syntax.</para>
+
+    <para>&os; provides multiple firewalls in order to meet the
+      different requirements and preferences for a wide variety of
+      users.  Each user should evaluate which firewall best meets
+      their needs.</para>
 
     <para>Since all firewalls are based on inspecting the values of
       selected packet control fields, the creator of the firewall
-      rulesets must have an understanding of how
+      ruleset must have an understanding of how
       <acronym>TCP/IP</acronym> works, what the different values in
-      the packet control fields are and how these values are used in a
-      normal session conversation.  For a good explanation go to:
-      <ulink
-	url="http://www.ipprimer.com/overview.cfm"></ulink>.</para>
+      the packet control fields are, and how these values are used in
+      a normal session conversation.  For a good introduction, refer
+      to <ulink
+	url="http://www.ipprimer.com/overview.cfm">Daryl's TCP/IP
+	Primer</ulink>.</para>
   </sect1>
 
   <sect1 id="firewalls-pf">
@@ -207,8 +192,7 @@
       </authorgroup>
     </sect1info>
 
-    <title>The OpenBSD Packet Filter (PF) and
-      <acronym>ALTQ</acronym></title>
+    <title>PF and <acronym>ALTQ</acronym></title>
 
     <indexterm>
       <primary>firewall</primary>
@@ -216,72 +200,65 @@
       <secondary>PF</secondary>
     </indexterm>
 
-    <para>As of July 2003 the OpenBSD firewall software application
-      known as <acronym>PF</acronym> was ported to &os; and
-      made available in the &os; Ports Collection.  Released in 2004,
-      &os; 5.3 was the first release that contained
-      <acronym>PF</acronym> as an integrated part of the base system.
-      <acronym>PF</acronym> is a complete, full-featured firewall
-      that has optional support for <acronym>ALTQ</acronym> (Alternate
-      Queuing).  <acronym>ALTQ</acronym> provides Quality of Service
-      (<acronym>QoS</acronym>) functionality.</para>
-
-    <para>The OpenBSD Project does an outstanding job of
-      maintaining the <ulink
-	url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.
-      As such, this section of the Handbook will focus on
-      <acronym>PF</acronym> as it pertains to &os; while providing
-      some general information regarding usage.  For detailed usage
-      information please refer to the <ulink
-	url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>.</para>
+    <para>Since &os; 5.3, a ported version of OpenBSD's
+      <acronym>PF</acronym> firewall has been included as an
+      integrated part of the base system.  <acronym>PF</acronym> is a
+      complete, full-featured firewall that has optional support for
+      <acronym>ALTQ</acronym> (Alternate Queuing), which provides
+      Quality of Service (<acronym>QoS</acronym>).</para>
+
+    <para>Since the OpenBSD Project maintains the definitive
+      reference for <acronym>PF</acronym> in the<ulink
+	url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>, this
+      section of the Handbook focuses on <acronym>PF</acronym> as it
+      pertains to &os;, while providing some general usage
+      information.</para>
 
-    <para>More information about <acronym>PF</acronym> for &os;
+    <para>More information about porting <acronym>PF</acronym> to &os;
       can be found at <ulink
 	url="http://pf4freebsd.love2party.net/"></ulink>.</para>
 
     <sect2>
       <title>Using the PF Loadable Kernel Modules</title>
 
-      <para>To load the PF Kernel Module add the following line to
+      <para>In order to use PF, the PF kernel module must be first
+	loaded.  Add the following line to
 	<filename>/etc/rc.conf</filename>:</para>
 
         <programlisting>pf_enable="YES"</programlisting>
 
-	<para>Then run the startup script to load the module:</para>
+	<para>Then, run the startup script to load the module:</para>
 
         <screen>&prompt.root; <userinput>service pf start</userinput></screen>
 
-	<para>Note that the PF Module will not load if it cannot find
-	  the ruleset config file.  The default location is
+	<para>The PF module will not load if it cannot find the
+	  ruleset configuration file.  The default location is
 	  <filename>/etc/pf.conf</filename>.  If the PF ruleset is
-	  located somewhere else, PF can be instructed to look there
-	  by adding a line like the following to
-	  <filename>/etc/rc.conf</filename>:</para>
+	  located somewhere else, add a line to
+	  <filename>/etc/rc.conf</filename> which specifies the full
+	  path to the file:</para>
 
         <programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
 
 	<para>The sample <filename>pf.conf</filename>
 	  can be found in <filename
-	  class="directory">/usr/share/examples/pf/</filename>.</para>
+	    class="directory">/usr/share/examples/pf/</filename>.</para>
 
 	<para>The <acronym>PF</acronym> module can also be loaded
 	  manually from the command line:</para>
 
       <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
 
-      <para>Logging support for PF is provided by the
-	<literal>pflog.ko</literal> and can be loaded by adding the
+      <para>Logging support for PF is provided by
+	<varname>pflog.ko</varname> which can be loaded by adding the
 	following line to <filename>/etc/rc.conf</filename>:</para>
 
       <programlisting>pflog_enable="YES"</programlisting>
 
-      <para>Then run the startup script to load the module:</para>
+      <para>Then, run the startup script to load the module:</para>
 
       <screen>&prompt.root; <userinput>service pflog start</userinput></screen>
 
-      <para>If you need other <acronym>PF</acronym> features you will
-	need to compile <acronym>PF</acronym> support into the
-	kernel.</para>
     </sect2>
 
     <sect2>
@@ -305,37 +282,32 @@
 	<secondary>device pfsync</secondary>
       </indexterm>
 
-      <para>While it is not necessary that you compile
-	<acronym>PF</acronym> support into the &os; kernel, you may
-	want to do so to take advantage of one of PF's advanced
-	features that is not included in the loadable module, namely
-	&man.pfsync.4;, which is a pseudo-device that exposes certain
-	changes to the state table used by <acronym>PF</acronym>.
-	It can be paired with &man.carp.4; to create failover
-	firewalls using <acronym>PF</acronym>.  More information on
-	<acronym>CARP</acronym> can be found in
-	<xref linkend="carp"/> of the Handbook.</para>
-
-      <para>The <acronym>PF</acronym> kernel options can be found in
-	<filename>/usr/src/sys/conf/NOTES</filename> and are
-	reproduced below:</para>
+      <para>While it is not necessary to compile
+	<acronym>PF</acronym> support into the &os; kernel, some of
+	PF's advanced features are not included in the loadable
+	module, namely &man.pfsync.4;, which is a pseudo-device that
+	exposes certain changes to the state table used by
+	<acronym>PF</acronym>.  It can be paired with &man.carp.4; to
+	create failover firewalls using <acronym>PF</acronym>.  More
+	information on <acronym>CARP</acronym> can be found in <link
+	  linkend="carp">of the Handbook</link>.</para>
+
+      <para>The following <acronym>PF</acronym> kernel options can be
+	found in <filename>/usr/src/sys/conf/NOTES</filename>:</para>
 
       <programlisting>device pf
 device pflog
 device pfsync</programlisting>
 
-      <para>The <literal>device pf</literal> option enables support
-	for the <quote>Packet Filter</quote> firewall
-	(&man.pf.4;).</para>
-
-      <para>The <literal>device pflog</literal> option enables the
-	optional &man.pflog.4; pseudo network device which can be
-	used to log traffic to a &man.bpf.4; descriptor.  The
-	&man.pflogd.8; daemon can be used to store the logging
-	information to disk.</para>
+      <para><literal>device pf</literal> enables PF support.</para>
+
+      <para><literal>device pflog</literal> enables the optional
+	&man.pflog.4; pseudo network device which can be used to log
+	traffic to a &man.bpf.4; descriptor.  The &man.pflogd.8;
+	daemon can then be used to store the logging information to
+	disk.</para>
 
-      <para>The <literal>device pfsync</literal> option enables the
-	optional
+      <para><literal>device pfsync</literal> enables the optional
 	&man.pfsync.4; pseudo-network device that is used to monitor
 	<quote>state changes</quote>.</para>
     </sect2>
@@ -343,8 +315,9 @@ device pfsync</programlisting>
     <sect2>
       <title>Available <filename>rc.conf</filename> Options</title>
 
-      <para>The following &man.rc.conf.5; statements configure
-	<acronym>PF</acronym> and &man.pflog.4; at boot:</para>
+      <para>The following &man.rc.conf.5; statements can be used to
+	configure <acronym>PF</acronym> and &man.pflog.4; at
+	boot:</para>
 
       <programlisting>pf_enable="YES"                 # Enable PF (load module if required)
 pf_rules="/etc/pf.conf"         # rules definition file for pf
@@ -353,9 +326,9 @@ pflog_enable="YES"              # start 
 pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
 pflog_flags=""                  # additional flags for pflogd startup</programlisting>
 
-      <para>If you have a LAN behind this firewall and have to forward
-	packets for the computers on the LAN or want to do NAT, you
-	will need the following option as well:</para>
+      <para>If there is a LAN behind the firewall and packets need to
+	be forwarded for the computers on the LAN, or NAT is required,
+	add the following option:</para>
 
       <programlisting>gateway_enable="YES"            # Enable as LAN gateway</programlisting>
     </sect2>
@@ -363,40 +336,40 @@ pflog_flags=""                  # additi
     <sect2>
       <title>Creating Filtering Rules</title>
 
-      <para><acronym>PF</acronym> reads its configuration rules from
-	&man.pf.conf.5; (<filename>/etc/pf.conf</filename> by
-	default) and it modifies, drops, or passes packets according
-	to the rules or definitions specified there.  The &os;
-	installation includes several sample files located in
-	<filename>/usr/share/examples/pf/</filename>.  Please refer
-	to the <ulink url="http://www.openbsd.org/faq/pf/">PF
-	FAQ</ulink> for complete coverage of <acronym>PF</acronym>
-	rulesets.</para>
+      <para>By default, <acronym>PF</acronym> reads its configuration
+	rules from <filename>/etc/pf.conf</filename> and modifies,
+	drops, or passes packets according to the rules or definitions
+	specified in this file.  The &os; installation includes
+	several sample files located in
+	<filename>/usr/share/examples/pf/</filename>.  Refer to the
+	<ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink> for
+	complete coverage of <acronym>PF</acronym> rulesets.</para>
 
       <warning>
-	<para>When browsing the <ulink
-	  url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>,
-	  please keep in mind that different versions of &os; can
-	  contain different versions of PF. Currently,
-	  &os; 8.<replaceable>X</replaceable> and prior is
-	  using the same version of <acronym>PF</acronym> as
+	<para>When reading the <ulink
+	    url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>,
+	  keep in mind that different versions of &os; contain
+	  different versions of PF.  Currently,
+	  &os; 8.<replaceable>X</replaceable> and prior is using
+	  the same version of <acronym>PF</acronym> as
 	  OpenBSD 4.1.  &os; 9.<replaceable>X</replaceable>
 	  and later is using the same version of <acronym>PF</acronym>
 	  as OpenBSD 4.5.</para>
       </warning>
 
       <para>The &a.pf; is a good place to ask questions about
-	configuring and running the <acronym>PF</acronym>
-	firewall.  Do not forget to check the mailing list archives
-	before asking questions!</para>
+	configuring and running the <acronym>PF</acronym> firewall.
+	Do not forget to check the mailing list archives before asking
+	questions.</para>
     </sect2>
 
     <sect2>
       <title>Working with PF</title>
 
-      <para>Use &man.pfctl.8; to control <acronym>PF</acronym>.  Below
-	are some useful commands (be sure to review the &man.pfctl.8;
-	man page for all available options):</para>
+      <para>To control <acronym>PF</acronym>, use &man.pfctl.8;.
+	Below are some useful options to this command.  Review
+	&man.pfctl.8; for a description of all available
+	options:</para>
 
       <informaltable frame="none" pgwide="1">
 	<tgroup cols="2">
@@ -411,35 +384,35 @@ pflog_flags=""                  # additi
 	    <row>
 	      <entry><command>pfctl
 		  <option>-e</option></command></entry>
-	      <entry>Enable PF</entry>
+	      <entry>Enable PF.</entry>
 	    </row>
 
 	    <row>
 	      <entry><command>pfctl
 		  <option>-d</option></command></entry>
-	      <entry>Disable PF</entry>
+	      <entry>Disable PF.</entry>
 	    </row>
 
 	    <row>
 	      <entry><command>pfctl <option>-F</option> all
 		  <option>-f</option> /etc/pf.conf</command></entry>
-	      <entry>Flush all rules (nat, filter, state, table, etc.)
-		and reload from the file
-		<filename>/etc/pf.conf</filename></entry>
+	      <entry>Flush all NAT, filter, state, and table
+		rules and reload
+		<filename>/etc/pf.conf</filename>.</entry>
 	    </row>
 
 	    <row>
 	      <entry><command>pfctl <option>-s</option> [ rules | nat
 		  state ]</command></entry>
-	      <entry>Report on the  filter rules, nat rules, or state
-		table</entry>
+	      <entry>Report on the filter rules, NAT rules, or state
+		table.</entry>
 	    </row>
 
 	    <row>
 	      <entry><command>pfctl <option>-vnf</option>
 		  /etc/pf.conf</command></entry>
 	      <entry>Check <filename>/etc/pf.conf</filename> for
-		errors, but do not load ruleset</entry>
+		errors, but do not load ruleset.</entry>
 	    </row>
 	  </tbody>
 	</tgroup>
@@ -449,11 +422,11 @@ pflog_flags=""                  # additi
     <sect2>
       <title>Enabling <acronym>ALTQ</acronym></title>
 
-      <para><acronym>ALTQ</acronym> is only available by compiling
-	support for it into the &os; kernel.  <acronym>ALTQ</acronym>
-	is not supported by all of the available network card drivers.
-	Please see the &man.altq.4; manual page for a list of drivers
-	that are supported in your release of &os;.</para>
+      <para><acronym>ALTQ</acronym> is only available by compiling its
+	support into the &os; kernel.  <acronym>ALTQ</acronym> is not
+	supported by all network card drivers.  Refer to &man.altq.4;
+	for a list of drivers that are supported by the release of
+	&os;.</para>
 
       <para>The following kernel options will enable
 	<acronym>ALTQ</acronym> and add additional
@@ -473,28 +446,27 @@ options         ALTQ_NOPCC      # Requir
       <para><literal>options ALTQ_CBQ</literal> enables
 	<emphasis>Class Based Queuing</emphasis>
 	(<acronym>CBQ</acronym>).  <acronym>CBQ</acronym>
-	allows you to divide a connection's bandwidth into different
+	can be used to divide a connection's bandwidth into different
 	classes or queues to prioritize traffic based on filter
 	rules.</para>
 
       <para><literal>options ALTQ_RED</literal> enables
 	<emphasis>Random Early Detection</emphasis>
 	(<acronym>RED</acronym>).  <acronym>RED</acronym> is
-	used to avoid network congestion.  <acronym>RED</acronym>
-	does this by measuring the length of the queue and comparing
-	it to the minimum and maximum thresholds for the queue.  If
-	the queue is over the maximum all new packets will be dropped.
-	True to its name, <acronym>RED</acronym> drops packets from
-	different connections randomly.</para>
+	used to avoid network congestion by measuring the length of
+	the queue and comparing it to the minimum and maximum
+	thresholds for the queue.  If the queue is over the maximum,
+	all new packets will be dropped.  <acronym>RED</acronym> drops
+	packets from different connections randomly.</para>
 
       <para><literal>options ALTQ_RIO</literal> enables
 	<emphasis>Random Early Detection In and Out</emphasis>.</para>
 
       <para><literal>options ALTQ_HFSC</literal> enables the
 	<emphasis>Hierarchical Fair Service Curve Packet
-	Scheduler</emphasis>.  For more information about
-	<acronym>HFSC</acronym> see: <ulink
-	url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
+	  Scheduler</emphasis> <acronym>HFSC</acronym>.  For more
+	information, refer to <ulink
+	  url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
 
       <para><literal>options ALTQ_PRIQ</literal> enables
 	<emphasis>Priority Queuing</emphasis>
@@ -517,51 +489,46 @@ options         ALTQ_NOPCC      # Requir
       <secondary>IPFILTER</secondary>
     </indexterm>
 
-    <para>The author of IPFILTER is Darren Reed.  IPFILTER is not
-      operating system dependent: it is an open source application and
+    <para>IPFILTER is a cross-platform, open source firewall which
       has been ported to &os;, NetBSD, OpenBSD, &sunos;, HP/UX, and
-      &solaris; operating systems.  IPFILTER is actively being
-      supported and maintained, with updated versions being released
-      regularly.</para>
+      &solaris; operating systems.</para>
 
     <para>IPFILTER is based on a kernel-side firewall and
       <acronym>NAT</acronym> mechanism that can be controlled and
       monitored by userland interface programs.  The firewall rules
-      can be set or deleted with the &man.ipf.8; utility.  The
-      <acronym>NAT</acronym> rules can be set or deleted with the
-      &man.ipnat.8; utility.  The &man.ipfstat.8; utility can print
-      run-time statistics for the kernel parts of IPFILTER.  The
-      &man.ipmon.8; program can log IPFILTER actions to the system
-      log files.</para>
+      can be set or deleted using &man.ipf.8;.  The
+      <acronym>NAT</acronym> rules can be set or deleted using
+      &man.ipnat.8;.  Run-time statistics for the kernel parts of
+      IPFILTER can be printed using &man.ipfstat.8;.  To log IPFILTER
+      actions to the system log files, use &man.ipmon.8;.</para>
 
     <para>IPF was originally written using a rule processing logic
-      of <quote>the last matching rule wins</quote> and used only
-      stateless type of rules.  Over time IPF has been enhanced to
-      include a <quote>quick</quote> option and a stateful
-      <quote>keep state</quote> option which drastically modernized
-      the rules processing logic.  IPF's official documentation covers
-      only the legacy rule coding parameters and rule file processing
-      logic.  The modernized functions are only included as additional
-      options, completely understating their benefits in producing
-      a far superior and more secure firewall.</para>
+      of <quote>the last matching rule wins</quote> and only used
+      stateless rules.  Over time, IPF has been enhanced to include a
+      <quote>quick</quote> option and a stateful
+      <quote>keep state</quote> option which modernized the rules
+      processing logic.  IPF's official documentation covers only the
+      legacy rule coding parameters and rule file processing logic and
+      the modernized functions are only included as additional
+      options.</para>
 
     <para>The instructions contained in this section are based on
-      using rules that contain the <quote>quick</quote> option and the
-      stateful <quote>keep state</quote> option.  This is the basic
-      framework for coding an inclusive firewall ruleset.</para>
-
-    <para>For detailed explanation of the legacy rules processing
-      method see: <ulink
-      url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>
+      using rules that contain <quote>quick</quote> and
+      <quote>keep state</quote> as these provide the basic framework
+      for configuring an inclusive firewall ruleset.</para>
+
+    <para>For a detailed explanation of the legacy rules processing
+      method, refer to <ulink
+	url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>
       and <ulink
-      url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
+	url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
 
     <para>The IPF FAQ is at <ulink
-      url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
+	url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
 
-    <para>A searchable archive of the open-source IPFilter mailing
-      list is available at <ulink
-      url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
+    <para>A searchable archive of the IPFilter mailing list is
+      available at <ulink
+	url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
 
     <sect2>
       <title>Enabling IPF</title>
@@ -572,17 +539,15 @@ options         ALTQ_NOPCC      # Requir
 	<secondary>enabling</secondary>
       </indexterm>
 
-      <para>IPF is included in the basic &os; install as a separate
-	run time loadable module.  The system will dynamically load
-	the IPF kernel loadable module when the
-	<filename>rc.conf</filename> statement
-	<literal>ipfilter_enable="YES"</literal> is used.  The
-	loadable module was created with logging enabled and the
-	<literal>default pass all</literal> options.  There is no
-	need to compile IPF into the &os; kernel just to change the
-	default to <literal>block all</literal>.  This can be done
-	just by adding a <literal>block all</literal> rule at the
-	end of your ruleset.</para>
+      <para>IPF is included in the basic &os; install as a kernel
+	loadable module.  The system will dynamically load
+	this module at boot time when
+	<varname>ipfilter_enable="YES"</varname> is added to
+	<filename>rc.conf</filename>.  The module enables logging and
+	<literal>default pass all</literal>.  To change the
+	default to <literal>block all</literal>, add a
+	<literal>block all</literal> rule at the end of the
+	ruleset.</para>
     </sect2>
 
     <sect2>
@@ -612,15 +577,10 @@ options         ALTQ_NOPCC      # Requir
 	<secondary>kernel options</secondary>
       </indexterm>
 
-      <para>It is not a mandatory requirement to enable IPF by
-	compiling the following options into the &os; kernel.  It is
-	only presented here as background information.  Compiling IPF
-	into the kernel causes the loadable module to never be
-	used.</para>
-
-      <para>Sample kernel config IPF option statements are in the
-	<filename>/usr/src/sys/conf/NOTES</filename> kernel source
-	and are reproduced here:</para>
+      <para>For users who prefer to statically compile IPF support
+	into a custom kernel, the following IPF option statements,
+	listed in <filename>/usr/src/sys/conf/NOTES</filename>, are
+	available:</para>
 
       <programlisting>options IPFILTER
 options IPFILTER_LOG
@@ -629,15 +589,14 @@ options IPFILTER_DEFAULT_BLOCK</programl
       <para><literal>options IPFILTER</literal> enables support for
 	the <quote>IPFILTER</quote> firewall.</para>
 
-      <para><literal>options IPFILTER_LOG</literal> enables the option
-	to have IPF log traffic by writing to the
-	<devicename>ipl</devicename> packet logging
+      <para><literal>options IPFILTER_LOG</literal> enables IPF
+	logging using the <devicename>ipl</devicename> packet logging
 	pseudo—device for every rule that has the
 	<literal>log</literal> keyword.</para>
 
       <para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
-	the default behavior so any packet not matching a firewall
-	<literal>pass</literal> rule gets blocked.</para>
+	the default behavior so that any packet not matching a
+	firewall <literal>pass</literal> rule gets blocked.</para>
 
       <para>These settings will take effect only after installing a
 	kernel that has been built with the above options set.</para>
@@ -657,9 +616,9 @@ ipmon_flags="-Ds"                 # D = 
                                   # v = log tcp window, ack, seq
                                   # n = map IP & port to names</programlisting>
 
-      <para>If there is a LAN behind this firewall that uses the
-	reserved private IP address ranges, the following lines will
-	have to be added to enable <acronym>NAT</acronym>
+      <para>If there is a LAN behind the firewall that uses the
+	reserved private IP address ranges, the following lines have
+	to be added to enable <acronym>NAT</acronym>
 	functionality:</para>
 
       <programlisting>gateway_enable="YES"              # Enable as LAN gateway
@@ -672,36 +631,36 @@ ipnat_rules="/etc/ipnat.rules"    # rule
 
       <indexterm><primary><command>ipf</command></primary></indexterm>
 
-      <para>The &man.ipf.8; command is used to load your ruleset file.
-	Your custom rules would normally be placed in a file, and the
-	following command could then be used to replace in mass the
-	currently running firewall rules:</para>
+      <para>To load the ruleset file, use &man.ipf.8;.  Custom rules
+	are normally placed in a file, and the following command can
+	be used to replace the currently running firewall
+	rules:</para>
 
       <screen>&prompt.root; <userinput>ipf -Fa -f /etc/ipf.rules</userinput></screen>
 
-      <para><option>-Fa</option> means flush all internal rules
+      <para><option>-Fa</option> flushes all the internal rules
 	tables.</para>
 
-      <para><option>-f</option> means this is the file to read for
-	the rules to load.</para>
+      <para><option>-f</option> specifies the file containing the
+	rules to load.</para>
 
-      <para>This gives you the ability to make changes to your custom
+      <para>This provides the ability to make changes to a custom
 	rules file, run the above IPF command, and thus update the
-	running firewall with a fresh copy of all the rules without
-	having to reboot the system.  This method is very convenient
-	for testing new rules as the procedure can be executed as many
-	times as needed.</para>
-
-      <para>See the &man.ipf.8; manual page for details on the other
-	flags available with this command.</para>
-
-      <para>The &man.ipf.8; command expects the rules file to be a
-	standard text file.  It will not accept a rules file written
-	as a script with symbolic substitution.</para>
+	running firewall with a fresh copy of the rules without having
+	to reboot the system.  This method is convenient for testing
+	new rules as the procedure can be executed as many times as
+	needed.</para>
+
+      <para>Refer to &man.ipf.8; for details on the other flags
+	available with this command.</para>
+
+      <para>&man.ipf.8; expects the rules file to be a standard text
+	file.  It will not accept a rules file written as a script
+	with symbolic substitution.</para>
 
-      <para>There is a way to build IPF rules that utilizes the power
+      <para>There is a way to build IPF rules that utilize the power
 	of script symbolic substitution.  For more information, see
-	<xref linkend="firewalls-ipf-rules-script"/>.</para>
+	<link linkend="firewalls-ipf-rules-script"></link>.</para>
     </sect2>
 
     <sect2>
@@ -717,15 +676,15 @@ ipnat_rules="/etc/ipnat.rules"    # rule
 
       <para>The default behavior of &man.ipfstat.8; is to retrieve
 	and display the totals of the accumulated statistics gathered
-	as a result of applying the user coded rules against packets
-	going in and out of the firewall since it was last started,
-	or since the last time the accumulators were reset to zero
-	using <command>ipf -Z</command>.</para>
+	by applying the rules against packets going in and out of the
+	firewall since it was last started, or since the last time the
+	accumulators were reset to zero using <command>ipf
+	  -Z</command>.</para>
 
-      <para>See the &man.ipfstat.8; manual page for details.</para>
+      <para>Refer to &man.ipfstat.8; for details.</para>
 
-      <para>The default &man.ipfstat.8; command output will look
-	something like this:</para>
+      <para>The default &man.ipfstat.8; output will look something
+	like this:</para>
 
       <screen>input packets: blocked 99286 passed 1255609 nomatch 14686 counted 0
  output packets: blocked 4200 passed 1284345 nomatch 14687 counted 0
@@ -751,10 +710,10 @@ ipnat_rules="/etc/ipnat.rules"    # rule
 	installed and in use by the kernel.</para>
 
       <para><command>ipfstat -in</command> displays the inbound
-	internal rules table with rule number.</para>
+	internal rules table with rule numbers.</para>
 
       <para><command>ipfstat -on</command> displays the outbound
-	internal rules table with the rule number.</para>
+	internal rules table with rule numbers.</para>
 
       <para>The output will look something like this:</para>
 
@@ -776,16 +735,15 @@ ipnat_rules="/etc/ipnat.rules"    # rule
 354727 block out on dc0 from any to any
 430918 pass out quick on dc0 proto tcp/udp from any to any keep state</screen>
 
-      <para>One of the most important functions of
-	<command>ipfstat</command> is the <option>-t</option>
-	flag which displays the state table in a way similar to the
-	way &man.top.1; shows the &os; running process table.  When
-	your firewall is under attack, this function gives you the
-	ability to identify, drill down to, and see the attacking
-	packets.  The optional sub-flags give the ability to select
-	the destination or source IP, port, or protocol that you want
-	to monitor in real time.  See the &man.ipfstat.8; manual page
-	for details.</para>
+      <para>One of the most important options of
+	<command>ipfstat</command> is <option>-t</option> which
+	displays the state table in a way similar to how &man.top.1;
+	shows the &os; running process table.  When a firewall is
+	under attack, this function provides the ability to identify
+	and see the attacking packets.  The optional sub-flags give
+	the ability to select the destination or source IP, port, or
+	protocol to be monitored in real time.  Refer to
+	&man.ipfstat.8; for details.</para>
     </sect2>
 
     <sect2>
@@ -801,55 +759,51 @@ ipnat_rules="/etc/ipnat.rules"    # rule
 
       <para>In order for <command>ipmon</command> to work properly,
 	the kernel option <literal>IPFILTER_LOG</literal> must be
-	turned on.  This command has two different modes that it can
-	be used in.  Native mode is the default mode when the command
-	is typed on the command line without the <option>-D</option>
-	flag.</para>
-
-      <para>Daemon mode is for when a continuous
-	system log file is desired, so that logging of past events
-	may be reviewed.  This is how &os; and IPFILTER are configured
-	to work together.  &os; has a built in facility to
-	automatically rotate system logs.  That is why outputting the
-	log information to &man.syslogd.8; is better than the default
-	of outputting to a regular file.  In the default
-	<filename>rc.conf</filename>, the
-	<literal>ipmon_flags</literal> statement uses the
-	<option>-Ds</option> flags:</para>
+	turned on.  This command has two different modes.  Native mode
+	is the default mode when the command is used without
+	<option>-D</option>.</para>
+
+      <para>Daemon mode provides a continuous system log file so that
+	logging of past events may be reviewed.  &os; has a built in
+	facility to automatically rotate system logs.  This is why
+	outputting the log information to &man.syslogd.8; is better
+	than the default of outputting to a regular file.  The default
+	<filename>rc.conf</filename>
+	<literal>ipmon_flags</literal> statement uses
+	<option>-Ds</option>:</para>
 
       <programlisting>ipmon_flags="-Ds" # D = start as daemon
                   # s = log to syslog
                   # v = log tcp window, ack, seq
                   # n = map IP & port to names</programlisting>
 
-      <para>The benefits of logging are obvious.  It provides the
-	ability to review, after the fact, information such as which
-	packets had been dropped, what addresses they came from and
-	where they were going.  These can all provide a significant
-	edge in tracking down attackers.</para>
+      <para>Logging provides the ability to review, after the fact,
+	information such as which packets were dropped, what addresses
+	they came from and where they were going.  These can all
+	provide a significant edge in tracking down attackers.</para>
 
       <para>Even with the logging facility enabled, IPF will not
-	generate any rule logging on its own.  The firewall
-	administrator decides what rules in the ruleset he wants to
-	log and adds the log keyword to those rules.  Normally only
-	deny rules are logged.</para>
-
-      <para>It is very customary to include a default deny everything
-	rule with the log keyword included as your last rule in the
-	ruleset.  This makes it possible to see all the packets that
-	did not match any of the rules in the ruleset.</para>
+	generate any rule logging by default.  The firewall
+	administrator decides which rules in the ruleset should be
+	logged and adds the log keyword to those rules.  Normally,
+	only deny rules are logged.</para>
+
+      <para>It is customary to include a <quote>default deny
+	  everything</quote> rule with the log keyword included as the
+	last rule in the ruleset.  This makes it possible to see all
+	the packets that did not match any of the rules in the
+	ruleset.</para>
     </sect2>
 
     <sect2>
       <title>IPMON Logging</title>
 
-      <para><application>Syslogd</application> uses its own special
-	method for segregation of log data.  It uses special groupings
-	called <quote>facility</quote> and <quote>level</quote>.
-	IPMON in <option>-Ds</option> mode uses
-	<literal>local0</literal> as the <quote>facility</quote>
-	name by default.  The following levels can be used to further
-	segregate the logged data if desired:</para>
+      <para>&man.syslogd.8; uses its own method for segregation of log
+	data.  It uses groupings called <quote>facility</quote> and
+	<quote>level</quote>.  By default, IPMON in
+	<option>-Ds</option> mode uses <literal>local0</literal> as
+	the <quote>facility</quote> name.  The following levels can be
+	used to further segregate the logged data:</para>
 
       <screen>LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
 LOG_NOTICE - packets logged which are also passed
@@ -858,37 +812,31 @@ LOG_ERR - packets which have been logged
 
       <!-- XXX: "can be considered short" == "with incomplete header" -->
 
-      <para>To setup IPFILTER to log all data to
-	<filename>/var/log/ipfilter.log</filename>, the file will
-	need to be created beforehand.  The following command will
-	do that:</para>
+      <para>In order to setup IPFILTER to log all data to
+	<filename>/var/log/ipfilter.log</filename>, first
+	create the empty file:</para>
 
        <screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
 
-      <para>The &man.syslogd.8; function is controlled by definition
-	statements in <filename>/etc/syslog.conf</filename>.
-	This file offers considerable
-	flexibility in how <application>syslog</application> will
-	deal with system messages issued by software applications
-	like IPF.</para>
+      <para>&man.syslogd.8; is controlled by definition statements in
+	<filename>/etc/syslog.conf</filename>.  This file offers
+	considerable flexibility in how
+	<application>syslog</application> will deal with system
+	messages issued by software applications like IPF.</para>
 
-      <para>Add the following statement to
+      <para>To write all logged messages to the specified file,
+	add the following statement to
 	<filename>/etc/syslog.conf</filename>:</para>
 
       <programlisting>local0.* /var/log/ipfilter.log</programlisting>
 
-      <para>The <literal>local0.*</literal>
-	means to write all the logged messages to the coded
-	file location.</para>
-
-      <para>To activate the changes to <filename>/etc/syslog.conf
-	  </filename> you can reboot or bump the &man.syslogd.8;
-	daemon into re-reading <filename>/etc/syslog.conf</filename>
-	by running <command>service syslogd reload</command></para>
+      <para>To activate the changes and instruct &man.syslogd.8;
+	to read the modified <filename>/etc/syslog.conf</filename>,
+	run <command>service syslogd reload</command>.</para>
 
       <para>Do not forget to change
 	<filename>/etc/newsyslog.conf</filename> to rotate the new
-	log created above.</para>
+	log file.</para>
     </sect2>
 
     <sect2>
@@ -906,16 +854,16 @@ LOG_ERR - packets which have been logged
 	<listitem>
 	  <para>The time of packet receipt.  This is in the form
 	    HH:MM:SS.F, for hours, minutes, seconds, and fractions
-	    of a second (which can be several digits long).</para>

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-doc-all mailing list