svn commit: r40685 - head/en_US.ISO8859-1/books/handbook/firewalls
Benedict Reuschling
bcr at FreeBSD.org
Sat Jan 19 21:09:12 UTC 2013
Author: bcr
Date: Sat Jan 19 21:09:11 2013
New Revision: 40685
URL: http://svnweb.freebsd.org/changeset/doc/40685
Log:
Whitespace fixes for the entire firewalls chapter.
Translators can ignore this.
Submitted by: Dru Lavigne
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sat Jan 19 17:40:46 2013 (r40684)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Sat Jan 19 21:09:11 2013 (r40685)
@@ -36,15 +36,15 @@
<sect1 id="firewalls-intro">
<title>Introduction</title>
- <para>Firewalls make it possible to filter
- incoming and outgoing traffic that flows through your system.
- A firewall can use one or more sets of <quote>rules</quote> to
- inspect the network packets as they come in or go out of your
- network connections and either allows the traffic through or
- blocks it. The rules of a firewall can inspect one or more
- characteristics of the packets, including but not limited to the
- protocol type, the source or destination host address, and the
- source or destination port.</para>
+ <para>Firewalls make it possible to filter incoming and outgoing
+ traffic that flows through your system. A firewall can use one
+ or more sets of <quote>rules</quote> to inspect the network
+ packets as they come in or go out of your network connections
+ and either allows the traffic through or blocks it. The rules
+ of a firewall can inspect one or more characteristics of the
+ packets, including but not limited to the protocol type, the
+ source or destination host address, and the source or
+ destination port.</para>
<para>Firewalls can greatly enhance the security of a host or a
network. They can be used to do one or more of
@@ -125,18 +125,20 @@
reverse. It only allows traffic matching the rules through and
blocks everything else.</para>
- <para>An inclusive firewall offers much better control of the outgoing
- traffic, making it a better choice for systems that offer services to
- the public Internet. It also controls the type of traffic originating
- from the public Internet that can gain access to your private network.
- All traffic that does not match the rules, is blocked and logged by
- design. Inclusive firewalls are generally safer than exclusive
- firewalls because they significantly reduce the risk of allowing
- unwanted traffic to pass through them.</para>
+ <para>An inclusive firewall offers much better control of the
+ outgoing traffic, making it a better choice for systems that
+ offer services to the public Internet. It also controls the
+ type of traffic originating from the public Internet that can
+ gain access to your private network. All traffic that does
+ not match the rules, is blocked and logged by design. Inclusive
+ firewalls are generally safer than exclusive firewalls because
+ they significantly reduce the risk of allowing unwanted traffic
+ to pass through them.</para>
<note>
<para>Unless noted otherwise, all configuration and example
- rulesets in this chapter, create inclusive type firewalls.</para>
+ rulesets in this chapter, create inclusive type
+ firewalls.</para>
</note>
<para>Security can be tightened further using a <quote>stateful
@@ -157,21 +159,22 @@
<para>&os; has three different firewall packages built
into the base system. They are: <emphasis>IPFILTER</emphasis>
(also known as <acronym>IPF</acronym>),
- <emphasis>IPFIREWALL</emphasis> (also known as <acronym>IPFW</acronym>),
- and <emphasis>OpenBSD's PacketFilter</emphasis> (also known as
- <acronym>PF</acronym>). &os; also has two built in packages for
- traffic shaping (basically controlling bandwidth usage):
- &man.altq.4; and &man.dummynet.4;. Dummynet has traditionally been
- closely tied with <acronym>IPFW</acronym>, and
+ <emphasis>IPFIREWALL</emphasis> (also known as
+ <acronym>IPFW</acronym>), and <emphasis>OpenBSD's
+ PacketFilter</emphasis> (also known as <acronym>PF</acronym>).
+ &os; also has two built in packages for traffic shaping
+ (basically controlling bandwidth usage): &man.altq.4; and
+ &man.dummynet.4;. Dummynet has traditionally been closely
+ tied with <acronym>IPFW</acronym>, and
<acronym>ALTQ</acronym> with
- <acronym>PF</acronym>. Traffic shaping for IPFILTER can currently
- be done with IPFILTER for NAT and filtering and
+ <acronym>PF</acronym>. Traffic shaping for IPFILTER can
+ currently be done with IPFILTER for NAT and filtering and
<acronym>IPFW</acronym> with &man.dummynet.4;
<emphasis>or</emphasis> by using <acronym>PF</acronym> with
<acronym>ALTQ</acronym>.
- IPFW, and PF all use rules to control the access of packets to and
- from your system, although they go about it different ways and
- have a different rule syntax.</para>
+ IPFW, and PF all use rules to control the access of packets
+ to and from your system, although they go about it different
+ ways and have a different rule syntax.</para>
<para>The reason that &os; has multiple built in firewall packages
is that different people have different requirements and
@@ -193,16 +196,16 @@
</sect1>
<sect1 id="firewalls-pf">
- <sect1info>
- <authorgroup>
- <author>
- <firstname>John</firstname>
- <surname>Ferrell</surname>
- <contrib>Revised and updated by </contrib>
- <!-- 24 March 2008 -->
- </author>
- </authorgroup>
- </sect1info>
+ <sect1info>
+ <authorgroup>
+ <author>
+ <firstname>John</firstname>
+ <surname>Ferrell</surname>
+ <contrib>Revised and updated by </contrib>
+ <!-- 24 March 2008 -->
+ </author>
+ </authorgroup>
+ </sect1info>
<title>The OpenBSD Packet Filter (PF) and
<acronym>ALTQ</acronym></title>
@@ -239,36 +242,35 @@
<sect2>
<title>Using the PF Loadable Kernel Modules</title>
- <para>To load the PF Kernel Module add the following line to
- <filename>/etc/rc.conf</filename>:</para>
+ <para>To load the PF Kernel Module add the following line to
+ <filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting>
- <para>Then run the startup script to load the module:</para>
+ <para>Then run the startup script to load the module:</para>
<screen>&prompt.root; <userinput>/etc/rc.d/pf start</userinput></screen>
<para>Note that the PF Module will not load if it cannot find
the ruleset config file. The default location is
<filename>/etc/pf.conf</filename>. If the PF ruleset is
- located somewhere else, PF can be instructed to look there by
- adding a line like the following to
+ located somewhere else, PF can be instructed to look there
+ by adding a line like the following to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
<para>The sample <filename>pf.conf</filename>
can be found in <filename
- class="directory">/usr/share/examples/pf/</filename>.
- </para>
+ class="directory">/usr/share/examples/pf/</filename>.</para>
- <para>The <acronym>PF</acronym> module can also be loaded manually
- from the command line:</para>
+ <para>The <acronym>PF</acronym> module can also be loaded
+ manually from the command line:</para>
<screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
<para>Logging support for PF is provided by the
- <literal>pflog.ko</literal> and can be loaded by adding the
+ <literal>pflog.ko</literal> and can be loaded by adding the
following line to <filename>/etc/rc.conf</filename>:</para>
<programlisting>pflog_enable="YES"</programlisting>
@@ -278,7 +280,8 @@
<screen>&prompt.root; <userinput>/etc/rc.d/pflog start</userinput></screen>
<para>If you need other <acronym>PF</acronym> features you will
- need to compile <acronym>PF</acronym> support into the kernel.</para>
+ need to compile <acronym>PF</acronym> support into the
+ kernel.</para>
</sect2>
<sect2>
@@ -303,33 +306,36 @@
</indexterm>
<para>While it is not necessary that you compile
- <acronym>PF</acronym> support into the &os; kernel, you may want
- to do so to take advantage of one of PF's advanced features that
- is not included in the loadable module, namely &man.pfsync.4;, which
- is a pseudo-device that exposes certain changes to
- the state table used by <acronym>PF</acronym>. It can be
- paired with &man.carp.4; to create failover firewalls using
- <acronym>PF</acronym>. More information on
+ <acronym>PF</acronym> support into the &os; kernel, you may
+ want to do so to take advantage of one of PF's advanced
+ features that is not included in the loadable module, namely
+ &man.pfsync.4;, which is a pseudo-device that exposes certain
+ changes to the state table used by <acronym>PF</acronym>.
+ It can be paired with &man.carp.4; to create failover
+ firewalls using <acronym>PF</acronym>. More information on
<acronym>CARP</acronym> can be found in
<xref linkend="carp"/> of the Handbook.</para>
<para>The <acronym>PF</acronym> kernel options can be found in
- <filename>/usr/src/sys/conf/NOTES</filename> and are reproduced
- below:</para>
+ <filename>/usr/src/sys/conf/NOTES</filename> and are
+ reproduced below:</para>
<programlisting>device pf
device pflog
device pfsync</programlisting>
- <para>The <literal>device pf</literal> option enables support for the
- <quote>Packet Filter</quote> firewall (&man.pf.4;).</para>
-
- <para>The <literal>device pflog</literal> option enables the optional
- &man.pflog.4; pseudo network device which can be used to log
- traffic to a &man.bpf.4; descriptor. The &man.pflogd.8; daemon
- can be used to store the logging information to disk.</para>
+ <para>The <literal>device pf</literal> option enables support
+ for the <quote>Packet Filter</quote> firewall
+ (&man.pf.4;).</para>
+
+ <para>The <literal>device pflog</literal> option enables the
+ optional &man.pflog.4; pseudo network device which can be
+ used to log traffic to a &man.bpf.4; descriptor. The
+ &man.pflogd.8; daemon can be used to store the logging
+ information to disk.</para>
- <para>The <literal>device pfsync</literal> option enables the optional
+ <para>The <literal>device pfsync</literal> option enables the
+ optional
&man.pfsync.4; pseudo-network device that is used to monitor
<quote>state changes</quote>.</para>
</sect2>
@@ -359,12 +365,13 @@ pflog_flags="" # additi
<para><acronym>PF</acronym> reads its configuration rules from
&man.pf.conf.5; (<filename>/etc/pf.conf</filename> by
- default) and it modifies, drops, or passes packets according to
- the rules or definitions specified there. The &os;
+ default) and it modifies, drops, or passes packets according
+ to the rules or definitions specified there. The &os;
installation includes several sample files located in
- <filename>/usr/share/examples/pf/</filename>. Please refer to
- the <ulink url="http://www.openbsd.org/faq/pf/">PF FAQ</ulink>
- for complete coverage of <acronym>PF</acronym> rulesets.</para>
+ <filename>/usr/share/examples/pf/</filename>. Please refer
+ to the <ulink url="http://www.openbsd.org/faq/pf/">PF
+ FAQ</ulink> for complete coverage of <acronym>PF</acronym>
+ rulesets.</para>
<warning>
<para>When browsing the <ulink
@@ -373,9 +380,9 @@ pflog_flags="" # additi
contain different versions of PF. Currently,
&os; 8.<replaceable>X</replaceable> and prior is
using the same version of <acronym>PF</acronym> as
- OpenBSD 4.1. &os; 9.<replaceable>X</replaceable> and
- later is using the same version of <acronym>PF</acronym> as
- OpenBSD 4.5.</para>
+ OpenBSD 4.1. &os; 9.<replaceable>X</replaceable>
+ and later is using the same version of <acronym>PF</acronym>
+ as OpenBSD 4.5.</para>
</warning>
<para>The &a.pf; is a good place to ask questions about
@@ -402,31 +409,37 @@ pflog_flags="" # additi
<tbody>
<row>
- <entry><command>pfctl <option>-e</option></command></entry>
+ <entry><command>pfctl
+ <option>-e</option></command></entry>
<entry>Enable PF</entry>
</row>
<row>
- <entry><command>pfctl <option>-d</option></command></entry>
+ <entry><command>pfctl
+ <option>-d</option></command></entry>
<entry>Disable PF</entry>
</row>
<row>
- <entry><command>pfctl <option>-F</option> all <option>-f</option> /etc/pf.conf</command></entry>
- <entry>Flush all rules (nat, filter, state, table, etc.) and
- reload from the file <filename>/etc/pf.conf</filename></entry>
+ <entry><command>pfctl <option>-F</option> all
+ <option>-f</option> /etc/pf.conf</command></entry>
+ <entry>Flush all rules (nat, filter, state, table, etc.)
+ and reload from the file
+ <filename>/etc/pf.conf</filename></entry>
</row>
<row>
- <entry><command>pfctl <option>-s</option> [ rules | nat | state ]</command></entry>
+ <entry><command>pfctl <option>-s</option> [ rules | nat
+ state ]</command></entry>
<entry>Report on the filter rules, nat rules, or state
table</entry>
</row>
<row>
- <entry><command>pfctl <option>-vnf</option> /etc/pf.conf</command></entry>
- <entry>Check <filename>/etc/pf.conf</filename> for errors,
- but do not load ruleset</entry>
+ <entry><command>pfctl <option>-vnf</option>
+ /etc/pf.conf</command></entry>
+ <entry>Check <filename>/etc/pf.conf</filename> for
+ errors, but do not load ruleset</entry>
</row>
</tbody>
</tgroup>
@@ -437,13 +450,14 @@ pflog_flags="" # additi
<title>Enabling <acronym>ALTQ</acronym></title>
<para><acronym>ALTQ</acronym> is only available by compiling
- support for it into the &os; kernel. <acronym>ALTQ</acronym> is
- not supported by all of the available network card drivers.
+ support for it into the &os; kernel. <acronym>ALTQ</acronym>
+ is not supported by all of the available network card drivers.
Please see the &man.altq.4; manual page for a list of drivers
that are supported in your release of &os;.</para>
<para>The following kernel options will enable
- <acronym>ALTQ</acronym> and add additional functionality:</para>
+ <acronym>ALTQ</acronym> and add additional
+ functionality:</para>
<programlisting>options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
@@ -456,33 +470,36 @@ options ALTQ_NOPCC # Requir
<para><literal>options ALTQ</literal> enables the
<acronym>ALTQ</acronym> framework.</para>
- <para><literal>options ALTQ_CBQ</literal> enables <emphasis>Class Based
- Queuing</emphasis> (<acronym>CBQ</acronym>). <acronym>CBQ</acronym>
+ <para><literal>options ALTQ_CBQ</literal> enables
+ <emphasis>Class Based Queuing</emphasis>
+ (<acronym>CBQ</acronym>). <acronym>CBQ</acronym>
allows you to divide a connection's bandwidth into different
classes or queues to prioritize traffic based on filter
rules.</para>
- <para><literal>options ALTQ_RED</literal> enables <emphasis>Random Early
- Detection</emphasis> (<acronym>RED</acronym>). <acronym>RED</acronym> is
- used to avoid network congestion. <acronym>RED</acronym> does
- this by measuring the length of the queue and comparing it to
- the minimum and maximum thresholds for the queue. If the
- queue is over the maximum all new packets will be dropped.
+ <para><literal>options ALTQ_RED</literal> enables
+ <emphasis>Random Early Detection</emphasis>
+ (<acronym>RED</acronym>). <acronym>RED</acronym> is
+ used to avoid network congestion. <acronym>RED</acronym>
+ does this by measuring the length of the queue and comparing
+ it to the minimum and maximum thresholds for the queue. If
+ the queue is over the maximum all new packets will be dropped.
True to its name, <acronym>RED</acronym> drops packets from
different connections randomly.</para>
- <para><literal>options ALTQ_RIO</literal> enables <emphasis>Random Early
- Detection In and Out</emphasis>.</para>
+ <para><literal>options ALTQ_RIO</literal> enables
+ <emphasis>Random Early Detection In and Out</emphasis>.</para>
<para><literal>options ALTQ_HFSC</literal> enables the
- <emphasis>Hierarchical Fair Service Curve Packet Scheduler</emphasis>. For more
- information about <acronym>HFSC</acronym> see: <ulink
- url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
-
- <para><literal>options ALTQ_PRIQ</literal> enables <emphasis>Priority
- Queuing</emphasis> (<acronym>PRIQ</acronym>). <acronym>PRIQ</acronym>
- will always pass traffic that is in a higher queue
- first.</para>
+ <emphasis>Hierarchical Fair Service Curve Packet
+ Scheduler</emphasis>. For more information about
+ <acronym>HFSC</acronym> see: <ulink
+ url="http://www-2.cs.cmu.edu/~hzhang/HFSC/main.html"></ulink>.</para>
+
+ <para><literal>options ALTQ_PRIQ</literal> enables
+ <emphasis>Priority Queuing</emphasis>
+ (<acronym>PRIQ</acronym>). <acronym>PRIQ</acronym> will
+ always pass traffic that is in a higher queue first.</para>
<para><literal>options ALTQ_NOPCC</literal> enables
<acronym>SMP</acronym> support for <acronym>ALTQ</acronym>.
@@ -509,24 +526,24 @@ options ALTQ_NOPCC # Requir
<para>IPFILTER is based on a kernel-side firewall and
<acronym>NAT</acronym> mechanism that can be controlled and
- monitored by userland interface programs. The firewall rules can
- be set or deleted with the &man.ipf.8; utility. The
+ monitored by userland interface programs. The firewall rules
+ can be set or deleted with the &man.ipf.8; utility. The
<acronym>NAT</acronym> rules can be set or deleted with the
&man.ipnat.8; utility. The &man.ipfstat.8; utility can print
run-time statistics for the kernel parts of IPFILTER. The
- &man.ipmon.8; program can log IPFILTER actions to the system log
- files.</para>
+ &man.ipmon.8; program can log IPFILTER actions to the system
+ log files.</para>
- <para>IPF was originally written using a rule processing logic of
- <quote>the last matching rule wins</quote> and used only
+ <para>IPF was originally written using a rule processing logic
+ of <quote>the last matching rule wins</quote> and used only
stateless type of rules. Over time IPF has been enhanced to
- include a <quote>quick</quote> option and a stateful <quote>keep
- state</quote> option which drastically modernized the rules
- processing logic. IPF's official documentation covers only the legacy
- rule coding parameters and rule file processing
+ include a <quote>quick</quote> option and a stateful
+ <quote>keep state</quote> option which drastically modernized
+ the rules processing logic. IPF's official documentation covers
+ only the legacy rule coding parameters and rule file processing
logic. The modernized functions are only included as additional
- options, completely understating their benefits in producing a
- far superior and more secure firewall.</para>
+ options, completely understating their benefits in producing
+ a far superior and more secure firewall.</para>
<para>The instructions contained in this section are based on
using rules that contain the <quote>quick</quote> option and the
@@ -535,16 +552,16 @@ options ALTQ_NOPCC # Requir
<para>For detailed explanation of the legacy rules processing
method see: <ulink
- url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>
+ url="http://www.munk.me.uk/ipf/ipf-howto.html"></ulink>
and <ulink
- url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
+ url="http://coombs.anu.edu.au/~avalon/ip-filter.html"></ulink>.</para>
<para>The IPF FAQ is at <ulink
- url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
+ url="http://www.phildev.net/ipf/index.html"></ulink>.</para>
- <para>A searchable archive of the open-source IPFilter mailing list is
- available at <ulink
- url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
+ <para>A searchable archive of the open-source IPFilter mailing
+ list is available at <ulink
+ url="http://marc.theaimsgroup.com/?l=ipfilter"></ulink>.</para>
<sect2>
<title>Enabling IPF</title>
@@ -555,15 +572,17 @@ options ALTQ_NOPCC # Requir
<secondary>enabling</secondary>
</indexterm>
- <para>IPF is included in the basic &os; install as a separate run
- time loadable module. The system will dynamically load the IPF
- kernel loadable module when the <filename>rc.conf</filename> statement
- <literal>ipfilter_enable="YES"</literal> is used. The loadable
- module was created with logging enabled and the
- <literal>default pass all</literal> options. There is no need
- to compile IPF into the &os; kernel just to change the default
- to <literal>block all</literal>. This can be done just by adding
- a <literal>block all</literal> rule at the end of your ruleset.</para>
+ <para>IPF is included in the basic &os; install as a separate
+ run time loadable module. The system will dynamically load
+ the IPF kernel loadable module when the
+ <filename>rc.conf</filename> statement
+ <literal>ipfilter_enable="YES"</literal> is used. The
+ loadable module was created with logging enabled and the
+ <literal>default pass all</literal> options. There is no
+ need to compile IPF into the &os; kernel just to change the
+ default to <literal>block all</literal>. This can be done
+ just by adding a <literal>block all</literal> rule at the
+ end of your ruleset.</para>
</sect2>
<sect2>
@@ -607,28 +626,28 @@ options ALTQ_NOPCC # Requir
options IPFILTER_LOG
options IPFILTER_DEFAULT_BLOCK</programlisting>
- <para><literal>options IPFILTER</literal> enables support for the
- <quote>IPFILTER</quote> firewall.</para>
+ <para><literal>options IPFILTER</literal> enables support for
+ the <quote>IPFILTER</quote> firewall.</para>
<para><literal>options IPFILTER_LOG</literal> enables the option
to have IPF log traffic by writing to the
- <devicename>ipl</devicename> packet logging pseudo—device
- for every rule that has the <literal>log</literal>
- keyword.</para>
+ <devicename>ipl</devicename> packet logging
+ pseudo—device for every rule that has the
+ <literal>log</literal> keyword.</para>
<para><literal>options IPFILTER_DEFAULT_BLOCK</literal> changes
the default behavior so any packet not matching a firewall
<literal>pass</literal> rule gets blocked.</para>
- <para>These settings will take effect only after installing a kernel
- that has been built with the above options set.</para>
+ <para>These settings will take effect only after installing a
+ kernel that has been built with the above options set.</para>
</sect2>
<sect2>
<title>Available <filename>rc.conf</filename> Options</title>
- <para>To activate IPF at boot time, the following statements need to
- be added to <filename>/etc/rc.conf</filename>:</para>
+ <para>To activate IPF at boot time, the following statements
+ need to be added to <filename>/etc/rc.conf</filename>:</para>
<programlisting>ipfilter_enable="YES" # Start ipf firewall
ipfilter_rules="/etc/ipf.rules" # loads rules definition text file
@@ -639,8 +658,8 @@ ipmon_flags="-Ds" # D =
# n = map IP & port to names</programlisting>
<para>If there is a LAN behind this firewall that uses the
- reserved private IP address ranges, the following lines will have to
- be added to enable <acronym>NAT</acronym>
+ reserved private IP address ranges, the following lines will
+ have to be added to enable <acronym>NAT</acronym>
functionality:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway
@@ -663,8 +682,8 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para><option>-Fa</option> means flush all internal rules
tables.</para>
- <para><option>-f</option> means this is the file to read for the
- rules to load.</para>
+ <para><option>-f</option> means this is the file to read for
+ the rules to load.</para>
<para>This gives you the ability to make changes to your custom
rules file, run the above IPF command, and thus update the
@@ -677,8 +696,8 @@ ipnat_rules="/etc/ipnat.rules" # rule
flags available with this command.</para>
<para>The &man.ipf.8; command expects the rules file to be a
- standard text file. It will not accept a rules file written as
- a script with symbolic substitution.</para>
+ standard text file. It will not accept a rules file written
+ as a script with symbolic substitution.</para>
<para>There is a way to build IPF rules that utilizes the power
of script symbolic substitution. For more information, see
@@ -696,12 +715,12 @@ ipnat_rules="/etc/ipnat.rules" # rule
<secondary>statistics</secondary>
</indexterm>
- <para>The default behavior of &man.ipfstat.8; is to retrieve and
- display the totals of the accumulated statistics gathered as a
- result of applying the user coded rules against packets going
- in and out of the firewall since it was last started, or since
- the last time the accumulators were reset to zero by the
- <command>ipf -Z</command> command.</para>
+ <para>The default behavior of &man.ipfstat.8; is to retrieve
+ and display the totals of the accumulated statistics gathered
+ as a result of applying the user coded rules against packets
+ going in and out of the firewall since it was last started,
+ or since the last time the accumulators were reset to zero
+ by the <command>ipf -Z</command> command.</para>
<para>See the &man.ipfstat.8; manual page for details.</para>
@@ -727,8 +746,8 @@ ipnat_rules="/etc/ipnat.rules" # rule
Packet log flags set: (0)</screen>
<para>When supplied with either <option>-i</option> for inbound
- or <option>-o</option> for outbound, the command will retrieve and
- display the appropriate list of filter rules currently
+ or <option>-o</option> for outbound, the command will retrieve
+ and display the appropriate list of filter rules currently
installed and in use by the kernel.</para>
<para><command>ipfstat -in</command> displays the inbound
@@ -759,14 +778,14 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>One of the most important functions of the
<command>ipfstat</command> command is the <option>-t</option>
- flag which displays the state table in a way similar to the way
- &man.top.1; shows the &os; running process table. When your
- firewall is under attack, this function gives you the ability to
- identify, drill down to, and see the attacking packets. The
- optional sub-flags give the ability to select the destination
- or source IP, port, or protocol that you want to monitor in
- real time. See the &man.ipfstat.8; manual page for
- details.</para>
+ flag which displays the state table in a way similar to the
+ way &man.top.1; shows the &os; running process table. When
+ your firewall is under attack, this function gives you the
+ ability to identify, drill down to, and see the attacking
+ packets. The optional sub-flags give the ability to select
+ the destination or source IP, port, or protocol that you want
+ to monitor in real time. See the &man.ipfstat.8; manual page
+ for details.</para>
</sect2>
<sect2>
@@ -780,21 +799,23 @@ ipnat_rules="/etc/ipnat.rules" # rule
<secondary>logging</secondary>
</indexterm>
- <para>In order for <command>ipmon</command> to work properly, the
- kernel option <literal>IPFILTER_LOG</literal> must be turned on. This command has
- two different modes that it can be used in. Native mode is the
- default mode when the command is typed on the command line
- without the <option>-D</option> flag.</para>
+ <para>In order for <command>ipmon</command> to work properly,
+ the kernel option <literal>IPFILTER_LOG</literal> must be
+ turned on. This command has two different modes that it can
+ be used in. Native mode is the default mode when the command
+ is typed on the command line without the <option>-D</option>
+ flag.</para>
<para>Daemon mode is for when a continuous
- system log file is desired, so that logging of past events may be
- reviewed. This is how &os; and IPFILTER are configured to
- work together. &os; has a built in facility to automatically
- rotate system logs. That is why outputting the log information
- to &man.syslogd.8; is better than the default of outputting to a
- regular file. In the default <filename>rc.conf</filename> file,
- the <literal>ipmon_flags</literal> statement uses the <option>-Ds</option>
- flags:</para>
+ system log file is desired, so that logging of past events
+ may be reviewed. This is how &os; and IPFILTER are configured
+ to work together. &os; has a built in facility to
+ automatically rotate system logs. That is why outputting the
+ log information to &man.syslogd.8; is better than the default
+ of outputting to a regular file. In the default
+ <filename>rc.conf</filename> file, the
+ <literal>ipmon_flags</literal> statement uses the
+ <option>-Ds</option> flags:</para>
<programlisting>ipmon_flags="-Ds" # D = start as daemon
# s = log to syslog
@@ -804,8 +825,8 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>The benefits of logging are obvious. It provides the
ability to review, after the fact, information such as which
packets had been dropped, what addresses they came from and
- where they were going. These can all provide a significant edge
- in tracking down attackers.</para>
+ where they were going. These can all provide a significant
+ edge in tracking down attackers.</para>
<para>Even with the logging facility enabled, IPF will not
generate any rule logging on its own. The firewall
@@ -815,8 +836,8 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para>It is very customary to include a default deny everything
rule with the log keyword included as your last rule in the
- ruleset. This makes it possible to see all the packets that did not
- match any of the rules in the ruleset.</para>
+ ruleset. This makes it possible to see all the packets that
+ did not match any of the rules in the ruleset.</para>
</sect2>
<sect2>
@@ -824,12 +845,11 @@ ipnat_rules="/etc/ipnat.rules" # rule
<para><application>Syslogd</application> uses its own special
method for segregation of log data. It uses special groupings
- called <quote>facility</quote> and <quote>level</quote>. IPMON
- in <option>-Ds</option> mode uses <literal>local0</literal>
- as the <quote>facility</quote>
- name by default.
- The following levels can be
- used to further segregate the logged data if desired:</para>
+ called <quote>facility</quote> and <quote>level</quote>.
+ IPMON in <option>-Ds</option> mode uses
+ <literal>local0</literal> as the <quote>facility</quote>
+ name by default. The following levels can be used to further
+ segregate the logged data if desired:</para>
<screen>LOG_INFO - packets logged using the "log" keyword as the action rather than pass or block.
LOG_NOTICE - packets logged which are also passed
@@ -839,16 +859,18 @@ LOG_ERR - packets which have been logged
<!-- XXX: "can be considered short" == "with incomplete header" -->
<para>To setup IPFILTER to log all data to
- <filename>/var/log/ipfilter.log</filename>, the file will need to be
- created beforehand. The following command will do that:</para>
+ <filename>/var/log/ipfilter.log</filename>, the file will
+ need to be created beforehand. The following command will
+ do that:</para>
<screen>&prompt.root; <userinput>touch /var/log/ipfilter.log</userinput></screen>
- <para>The &man.syslogd.8; function is controlled by definition statements
- in the <filename>/etc/syslog.conf</filename> file. The
- <filename>syslog.conf</filename> file offers considerable
- flexibility in how <application>syslog</application> will deal with system messages issued
- by software applications like IPF.</para>
+ <para>The &man.syslogd.8; function is controlled by definition
+ statements in the <filename>/etc/syslog.conf</filename> file.
+ The <filename>syslog.conf</filename> file offers considerable
+ flexibility in how <application>syslog</application> will
+ deal with system messages issued by software applications
+ like IPF.</para>
<para>Add the following statement to
<filename>/etc/syslog.conf</filename>:</para>
@@ -860,21 +882,21 @@ LOG_ERR - packets which have been logged
file location.</para>
<para>To activate the changes to <filename>/etc/syslog.conf
- </filename> you can reboot or bump the &man.syslogd.8; daemon into
- re-reading <filename>/etc/syslog.conf</filename> by running
- <command>/etc/rc.d/syslogd reload</command></para>
+ </filename> you can reboot or bump the &man.syslogd.8;
+ daemon into re-reading <filename>/etc/syslog.conf</filename>
+ by running <command>/etc/rc.d/syslogd reload</command></para>
<para>Do not forget to change
- <filename>/etc/newsyslog.conf</filename> to rotate the new log
- created above.</para>
+ <filename>/etc/newsyslog.conf</filename> to rotate the new
+ log created above.</para>
</sect2>
<sect2>
<title>The Format of Logged Messages</title>
- <para>Messages generated by <command>ipmon</command> consist of
- data fields separated by white space. Fields common to all
- messages are:</para>
+ <para>Messages generated by <command>ipmon</command> consist
+ of data fields separated by white space. Fields common to
+ all messages are:</para>
<orderedlist>
<listitem>
@@ -883,13 +905,13 @@ LOG_ERR - packets which have been logged
<listitem>
<para>The time of packet receipt. This is in the form
- HH:MM:SS.F, for hours, minutes, seconds, and fractions of a
- second (which can be several digits long).</para>
+ HH:MM:SS.F, for hours, minutes, seconds, and fractions
+ of a second (which can be several digits long).</para>
</listitem>
<listitem>
- <para>The name of the interface the packet was processed on,
- e.g., <devicename>dc0</devicename>.</para>
+ <para>The name of the interface the packet was processed
+ on, e.g., <devicename>dc0</devicename>.</para>
</listitem>
<listitem>
@@ -898,33 +920,36 @@ LOG_ERR - packets which have been logged
</listitem>
</orderedlist>
- <para>These can be viewed with <command>ipfstat
- -in</command>.</para>
+ <para>These can be viewed with
+ <command>ipfstat -in</command>.</para>
<orderedlist>
<listitem>
<para>The action: p for passed, b for blocked, S for a short
- packet, n did not match any rules, L for a log rule. The
- order of precedence in showing flags is: S, p, b, n, L. A
- capital P or B means that the packet has been logged due to
- a global logging setting, not a particular rule.</para>
+ packet, n did not match any rules, L for a log rule.
+ The order of precedence in showing flags is: S, p, b, n,
+ L. A capital P or B means that the packet has been logged
+ due to a global logging setting, not a particular
+ rule.</para>
</listitem>
<listitem>
<para>The addresses. This is actually three fields: the
source address and port (separated by a comma), the ->
symbol, and the destination address and port, e.g.:
- <literal>209.53.17.22,80 -> 198.73.220.17,1722</literal>.</para>
+ <literal>209.53.17.22,80 ->
+ 198.73.220.17,1722</literal>.</para>
</listitem>
<listitem>
- <para><literal>PR</literal> followed by the protocol name or
- number, e.g.: <literal>PR tcp</literal>.</para>
+ <para><literal>PR</literal> followed by the protocol name
+ or number, e.g.: <literal>PR tcp</literal>.</para>
</listitem>
<listitem>
<para><literal>len</literal> followed by the header length
- and total length of the packet, e.g.: <literal>len 20 40</literal>.</para>
+ and total length of the packet, e.g.:
+ <literal>len 20 40</literal>.</para>
</listitem>
</orderedlist>
@@ -935,9 +960,10 @@ LOG_ERR - packets which have been logged
flags.</para>
<para>If the packet is an ICMP packet, there will be two fields
- at the end, the first always being <quote>ICMP</quote>, and the
- next being the ICMP message and sub-message type, separated by
- a slash, e.g., ICMP 3/3 for a port unreachable message.</para>
+ at the end, the first always being <quote>ICMP</quote>, and
+ the next being the ICMP message and sub-message type,
+ separated by a slash, e.g., ICMP 3/3 for a port unreachable
+ message.</para>
</sect2>
<sect2 id="firewalls-ipf-rules-script">
@@ -945,17 +971,18 @@ LOG_ERR - packets which have been logged
Substitution</title>
<para>Some experienced IPF users create a file containing the
- rules and code them in a manner compatible with running them as
- a script with symbolic substitution. The major benefit of
- doing this is that only the value associated
- with the symbolic name needs to be changed, and when the script is run all the rules
- containing the symbolic name will have the value substituted in
- the rules. Being a script, symbolic substitution can be used
- to code frequently used values and substitute them in multiple
- rules. This can be seen in the following example.</para>
+ rules and code them in a manner compatible with running them
+ as a script with symbolic substitution. The major benefit
+ of doing this is that only the value associated with the
+ symbolic name needs to be changed, and when the script is
+ run all the rules containing the symbolic name will have the
+ value substituted in the rules. Being a script, symbolic
+ substitution can be used to code frequently used values and
+ substitute them in multiple rules. This can be seen in the
+ following example.</para>
- <para>The script syntax used here is compatible with the &man.sh.1;, &man.csh.1;,
- and &man.tcsh.1; shells.</para>
+ <para>The script syntax used here is compatible with the
+ &man.sh.1;, &man.csh.1;, and &man.tcsh.1; shells.</para>
<para>Symbolic substitution fields are prefixed with a dollar
sign: <literal>$</literal>.</para>
@@ -998,11 +1025,11 @@ pass out quick on $oif proto tcp
EOF
################## End of IPF rules script ########################</programlisting>
- <para>That is all there is to it. The rules are not important in
- this example; how the symbolic substitution fields are
+ <para>That is all there is to it. The rules are not important
+ in this example; how the symbolic substitution fields are
populated and used are. If the above example was in a file
- named <filename>/etc/ipf.rules.script</filename>, these rules could be
- reloaded by entering the following command:</para>
+ named <filename>/etc/ipf.rules.script</filename>, these rules
+ could be reloaded by entering the following command:</para>
<screen>&prompt.root; <userinput>sh /etc/ipf.rules.script</userinput></screen>
@@ -1029,9 +1056,10 @@ EOF
value) into <filename>/etc/rc.conf</filename> file.</para>
<para>Add a script like the following to your
- <filename class="directory">/usr/local/etc/rc.d/</filename> startup
- directory. The script should have an obvious name like
- <filename>ipf.loadrules.sh</filename>. The
+ <filename
+ class="directory">/usr/local/etc/rc.d/</filename>
+ startup directory. The script should have an obvious
+ name like <filename>ipf.loadrules.sh</filename>. The
<filename>.sh</filename> extension is mandatory.</para>
<programlisting>#!/bin/sh
@@ -1053,30 +1081,31 @@ sh /etc/ipf.rules.script</programlisting
<para>A ruleset is a group of IPF rules coded to pass or block
packets based on the values contained in the packet. The
- bi-directional exchange of packets between hosts comprises a
- session conversation. The firewall ruleset processes both the
- packets arriving from the public Internet, as well as the packets
- produced by the system as a response to them.
+ bi-directional exchange of packets between hosts comprises
+ a session conversation. The firewall ruleset processes both
+ the packets arriving from the public Internet, as well as the
+ packets produced by the system as a response to them.
Each <acronym>TCP/IP</acronym> service (i.e.: telnet, www,
- mail, etc.) is predefined by its protocol and privileged (listening)
- port. Packets destined for a specific service, originate from the
- source address using an unprivileged (high order) port and target the
- specific service port on the destination address. All the above
- parameters (i.e.: ports and addresses) can be used as selection
- criteria to create rules which will pass or block services.</para>
+ mail, etc.) is predefined by its protocol and privileged
+ (listening) port. Packets destined for a specific service,
+ originate from the source address using an unprivileged (high
+ order) port and target the specific service port on the
+ destination address. All the above parameters (i.e.: ports
+ and addresses) can be used as selection criteria to create
+ rules which will pass or block services.</para>
<indexterm>
<primary>IPFILTER</primary>
<secondary>rule processing order</secondary>
- </indexterm>
+ </indexterm>
- <para>IPF was originally written using a rules processing logic
- of <quote>the last matching rule wins</quote> and used only
- stateless rules. Over time IPF has been enhanced to include a
- <quote>quick</quote> option and a stateful <quote>keep
- state</quote> option which drastically modernized the rule
- processing logic.</para>
+ <para>IPF was originally written using a rules processing
+ logic of <quote>the last matching rule wins</quote> and used
+ only stateless rules. Over time IPF has been enhanced to
+ include a <quote>quick</quote> option and a stateful
+ <quote>keep state</quote> option which drastically modernized
+ the rule processing logic.</para>
<para>The instructions contained in this section are based on
using rules that contain the <quote>quick</quote> option and
@@ -1086,8 +1115,8 @@ sh /etc/ipf.rules.script</programlisting
<warning>
<para>When working with the firewall rules, be <emphasis>very
- careful</emphasis>. Some configurations <emphasis>will
- lock you out</emphasis> of the server. To be on the safe
+ careful</emphasis>. Some configurations <emphasis>will
+ lock you out</emphasis> of the server. To be on the safe
side, you may wish to consider performing the initial
firewall configuration from the local console rather than
doing it remotely e.g., via
@@ -1104,27 +1133,28 @@ sh /etc/ipf.rules.script</programlisting
<secondary>rule syntax</secondary>
</indexterm>
- <para>The rule syntax presented here has been simplified to only
- address the modern stateful rule context and <quote>first
- matching rule wins</quote> logic. For the complete legacy rule
- syntax description see the &man.ipf.8; manual page.</para>
-
- <para>A <literal>#</literal> character is used to mark the start
- of a comment and may appear at the end of a rule line or on its
- own line. Blank lines are ignored.</para>
-
- <para>Rules contain keywords. These keywords have to be coded in
- a specific order from left to right on the line. Keywords are
- identified in bold type. Some keywords have sub-options which
- may be keywords themselves and also include more sub-options.
- Each of the headings in the below syntax has a bold section
- header which expands on the content.</para>
+ <para>The rule syntax presented here has been simplified to
+ only address the modern stateful rule context and <quote>first
+ matching rule wins</quote> logic. For the complete legacy
+ rule syntax description see the &man.ipf.8; manual
+ page.</para>
+
+ <para>A <literal>#</literal> character is used to mark the
+ start of a comment and may appear at the end of a rule line
+ or on its own line. Blank lines are ignored.</para>
+
+ <para>Rules contain keywords. These keywords have to be coded
+ in a specific order from left to right on the line. Keywords
+ are identified in bold type. Some keywords have sub-options
+ which may be keywords themselves and also include more
+ sub-options. Each of the headings in the below syntax has
+ a bold section header which expands on the content.</para>
<!-- This section is probably wrong. See the OpenBSD flag -->
<!-- What is the "OpenBSD flag"? Reference please -->
- <para><replaceable>ACTION IN-OUT OPTIONS SELECTION STATEFUL PROTO
- SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG
+ <para><replaceable>ACTION IN-OUT OPTIONS SELECTION STATEFUL
+ PROTO SRC_ADDR,DST_ADDR OBJECT PORT_NUM TCP_FLAG
STATEFUL</replaceable></para>
<para><replaceable>ACTION</replaceable> = block | pass</para>
@@ -1132,19 +1162,20 @@ sh /etc/ipf.rules.script</programlisting
<para><replaceable>IN-OUT</replaceable> = in | out</para>
<para><replaceable>OPTIONS</replaceable> = log | quick | on
- interface-name</para>
+ interface-name</para>
<para><replaceable>SELECTION</replaceable> = proto value |
- source/destination IP | port = number | flags
- flag-value</para>
+ source/destination IP | port = number | flags
+ flag-value</para>
<para><replaceable>PROTO</replaceable> = tcp/udp | udp | tcp |
- icmp</para>
+ icmp</para>
<para><replaceable>SRC_ADD,DST_ADDR</replaceable> = all | from
- object to object</para>
+ object to object</para>
- <para><replaceable>OBJECT</replaceable> = IP address | any</para>
+ <para><replaceable>OBJECT</replaceable> = IP address |
+ any</para>
<para><replaceable>PORT_NUM</replaceable> = port number</para>
@@ -1160,8 +1191,8 @@ sh /etc/ipf.rules.script</programlisting
<emphasis>must</emphasis> have an action. The following
actions are recognized:</para>
- <para><literal>block</literal> indicates that the packet should
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-doc-all
mailing list