svn commit: r43909 - head/en_US.ISO8859-1/books/handbook/firewalls

Dru Lavigne dru at FreeBSD.org
Thu Feb 13 22:45:32 UTC 2014


Author: dru
Date: Thu Feb 13 22:45:31 2014
New Revision: 43909
URL: http://svnweb.freebsd.org/changeset/doc/43909

Log:
  Start review of firewall chapter.
  Many more commits to follow.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Thu Feb 13 22:11:27 2014	(r43908)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Thu Feb 13 22:45:31 2014	(r43909)
@@ -41,7 +41,7 @@
   </indexterm>
 
   <sect1 xml:id="firewalls-intro">
-    <title>Introduction</title>
+    <title>Synopsis</title>
 
     <para>Firewalls make it possible to filter the incoming and
       outgoing traffic that flows through a system.  A firewall can
@@ -77,6 +77,25 @@
       </listitem>
     </itemizedlist>
 
+    <para>&os; has three firewalls built into the base system:
+      <application>PF</application>, <application>IPFILTER</application>, also known as
+      <application>IPF</application>, and
+      <application>IPFW</application>.
+      &os; also provides two traffic shapers for controlling bandwidth
+      usage: &man.altq.4; and &man.dummynet.4;.
+      <application>ALTQ</application> has
+      traditionally been closely tied with <application>PF</application> and
+      <application>dummynet</application> with <application>IPFW</application>.
+      Each
+      firewall uses rules to control the access of packets to and from
+      a &os; system, although they go about it in different ways and
+      each has a different rule syntax.</para>
+
+    <para>&os; provides multiple firewalls in order to meet the
+      different requirements and preferences for a wide variety of
+      users.  Each user should evaluate which firewall best meets
+      their needs.</para>
+ 
     <para>After reading this chapter, you will know:</para>
 
     <itemizedlist>
@@ -112,6 +131,18 @@
 	<para>Understand basic &os; and Internet concepts.</para>
       </listitem>
     </itemizedlist>
+
+    <note>
+    <para>Since all firewalls are based on inspecting the values of
+      selected packet control fields, the creator of the firewall
+      ruleset must have an understanding of how
+      <acronym>TCP/IP</acronym> works, what the different values in
+      the packet control fields are, and how these values are used in
+      a normal session conversation.  For a good introduction, refer
+      to
+      <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's
+	TCP/IP Primer</link>.</para>   
+    </note>
   </sect1>
 
   <sect1 xml:id="firewalls-concepts">
@@ -156,37 +187,6 @@
       combination of stateful and non-stateful behavior.</para>
   </sect1>
 
-  <sect1 xml:id="firewalls-apps">
-    <title>Firewall Packages</title>
-
-    <para>&os; has three firewalls built into the base system:
-      <emphasis>IPFILTER</emphasis>, also known as
-      <acronym>IPF</acronym>, <emphasis>IPFIREWALL</emphasis>, also
-      known as <acronym>IPFW</acronym>, and <acronym>PF</acronym>).
-      &os; also provides two traffic shapers for controlling bandwidth
-      usage: &man.altq.4; and &man.dummynet.4;.  Dummynet has
-      traditionally been closely tied with <acronym>IPFW</acronym>,
-      and <acronym>ALTQ</acronym> with <acronym>PF</acronym>.  Each
-      firewall uses rules to control the access of packets to and from
-      a &os; system, although they go about it in different ways and
-      each has a different rule syntax.</para>
-
-    <para>&os; provides multiple firewalls in order to meet the
-      different requirements and preferences for a wide variety of
-      users.  Each user should evaluate which firewall best meets
-      their needs.</para>
-
-    <para>Since all firewalls are based on inspecting the values of
-      selected packet control fields, the creator of the firewall
-      ruleset must have an understanding of how
-      <acronym>TCP/IP</acronym> works, what the different values in
-      the packet control fields are, and how these values are used in
-      a normal session conversation.  For a good introduction, refer
-      to
-      <link xlink:href="http://www.ipprimer.com/overview.cfm">Daryl's
-	TCP/IP Primer</link>.</para>
-  </sect1>
-
   <sect1 xml:id="firewalls-pf">
     <info>
       <title>PF and <acronym>ALTQ</acronym></title>
@@ -209,20 +209,20 @@
     </indexterm>
 
     <para>Since &os; 5.3, a ported version of OpenBSD's
-      <acronym>PF</acronym> firewall has been included as an
-      integrated part of the base system.  <acronym>PF</acronym> is a
+      <application>PF</application> firewall has been included as an
+      integrated part of the base system.  <application>PF</application> is a
       complete, full-featured firewall that has optional support for
       <acronym>ALTQ</acronym> (Alternate Queuing), which provides
       Quality of Service (<acronym>QoS</acronym>).</para>
 
     <para>Since the OpenBSD Project maintains the definitive
-      reference for <acronym>PF</acronym> in the
+      reference for <application>PF</application> in the
       <link xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
-      this section of the Handbook focuses on <acronym>PF</acronym> as
+      this section of the Handbook focuses on <application>PF</application> as
       it pertains to &os;, while providing some general usage
       information.</para>
 
-    <para>More information about porting <acronym>PF</acronym> to &os;
+    <para>More information about porting <application>PF</application> to &os;
       can be found at <uri
 	xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
 
@@ -252,7 +252,7 @@
 	can be found in
 	<filename>/usr/share/examples/pf/</filename>.</para>
 
-      <para>The <acronym>PF</acronym> module can also be loaded
+      <para>The <application>PF</application> module can also be loaded
 	manually from the command line:</para>
 
       <screen>&prompt.root; <userinput>kldload pf.ko</userinput></screen>
@@ -286,17 +286,17 @@
 	<secondary>device pfsync</secondary>
       </indexterm>
 
-      <para>While it is not necessary to compile <acronym>PF</acronym>
+      <para>While it is not necessary to compile <application>PF</application>
 	support into the &os; kernel, some of PF's advanced features
 	are not included in the loadable module, namely
 	&man.pfsync.4;, which is a pseudo-device that exposes certain
-	changes to the state table used by <acronym>PF</acronym>.  It
+	changes to the state table used by <application>PF</application>.  It
 	can be paired with &man.carp.4; to create failover firewalls
-	using <acronym>PF</acronym>.  More information on
+	using <application>PF</application>.  More information on
 	<acronym>CARP</acronym> can be found in
 	<link linkend="carp">of the Handbook</link>.</para>
 
-      <para>The following <acronym>PF</acronym> kernel options can be
+      <para>The following <application>PF</application> kernel options can be
 	found in <filename>/usr/src/sys/conf/NOTES</filename>:</para>
 
       <programlisting>device pf
@@ -320,7 +320,7 @@ device pfsync</programlisting>
       <title>Available <filename>rc.conf</filename> Options</title>
 
       <para>The following &man.rc.conf.5; statements can be used to
-	configure <acronym>PF</acronym> and &man.pflog.4; at
+	configure <application>PF</application> and &man.pflog.4; at
 	boot:</para>
 
       <programlisting>pf_enable="YES"                 # Enable PF (load module if required)
@@ -340,14 +340,14 @@ pflog_flags=""                  # additi
     <sect2>
       <title>Creating Filtering Rules</title>
 
-      <para>By default, <acronym>PF</acronym> reads its configuration
+      <para>By default, <application>PF</application> reads its configuration
 	rules from <filename>/etc/pf.conf</filename> and modifies,
 	drops, or passes packets according to the rules or definitions
 	specified in this file.  The &os; installation includes
 	several sample files located in
 	<filename>/usr/share/examples/pf/</filename>.  Refer to the
 	<link xlink:href="http://www.openbsd.org/faq/pf/">PF
-	  FAQ</link> for complete coverage of <acronym>PF</acronym>
+	  FAQ</link> for complete coverage of <application>PF</application>
 	rulesets.</para>
 
       <warning>
@@ -356,18 +356,18 @@ pflog_flags=""                  # additi
 	  keep in mind that different versions of &os; contain
 	  different versions of PF.  Currently,
 	  &os; 8.<replaceable>X</replaceable> is using the same
-	  version of <acronym>PF</acronym> as OpenBSD 4.1.
+	  version of <application>PF</application> as OpenBSD 4.1.
 	  &os; 9.<replaceable>X</replaceable> and later is using
-	  the same version of <acronym>PF</acronym> as
+	  the same version of <application>PF</application> as
 	  OpenBSD 4.5.</para>
       </warning>
 
       <para>The &a.pf; is a good place to ask questions about
-	configuring and running the <acronym>PF</acronym> firewall.
+	configuring and running the <application>PF</application> firewall.
 	Do not forget to check the mailing list archives before asking
 	questions.</para>
 
-      <para>To control <acronym>PF</acronym>, use &man.pfctl.8;.
+      <para>To control <application>PF</application>, use &man.pfctl.8;.
 	Below are some useful options to this command.  Review
 	&man.pfctl.8; for a description of all available
 	options:</para>
@@ -482,7 +482,7 @@ options         ALTQ_NOPCC      # Requir
 
     <sect2 xml:id="pf-tutorial">
       <info>
-	<title><acronym>PF</acronym> Rule Sets and Tools</title>
+	<title><application>PF</application> Rule Sets and Tools</title>
 
 	<authorgroup>
 	  <author>
@@ -497,7 +497,7 @@ options         ALTQ_NOPCC      # Requir
       </info>
 
       <para>This section demonstrates some useful
-	<acronym>PF</acronym> features and <acronym>PF</acronym>
+	<application>PF</application> features and <application>PF</application>
 	related tools in a series of examples.  A more thorough
 	tutorial is available at <link
 	  xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
@@ -546,7 +546,7 @@ pass out all keep state</programlisting>
 		Six Dumbest Ideas in Computer Security</link>, and
 	      it is well written too.</para></footnote>.  This gives
 	  us the opportunity to introduce two of the features which
-	  make <acronym>PF</acronym> such a wonderful tool:
+	  make <application>PF</application> such a wonderful tool:
 	  <firstterm>lists</firstterm> and
 	  <firstterm>macros</firstterm>.</para>
 
@@ -563,7 +563,7 @@ udp_services = "{ domain }"</programlist
 
 	<para>Now we have demonstrated several things at once - what
 	  macros look like, that macros may be lists, and that
-	  <acronym>PF</acronym> understands rules using port names
+	  <application>PF</application> understands rules using port names
 	  equally well as it does port numbers.  The names are the
 	  ones listed in <filename>/etc/services</filename>.  This
 	  gives us something to put in our rules, which we edit
@@ -574,7 +574,7 @@ pass out proto tcp to any port $tcp_serv
 pass proto udp to any port $udp_services keep state</programlisting>
 
 	<para>At this point some of us will point out that UDP is
-	  stateless, but <acronym>PF</acronym> actually manages to
+	  stateless, but <application>PF</application> actually manages to
 	  maintain state information despite this.  Keeping state for
 	  a UDP connection means that for example when you ask a name
 	  server about a domain name, you will be able to receive its
@@ -602,7 +602,7 @@ pass proto udp to any port $udp_services
 	  only, but does not load them.  This provides an opportunity
 	  to correct any errors.  Under any circumstances, the last
 	  valid rule set loaded will be in force until
-	  <acronym>PF</acronym> is disabled or a new rule set is
+	  <application>PF</application> is disabled or a new rule set is
 	  loaded.</para>
 
 	<tip>
@@ -623,7 +623,7 @@ pass proto udp to any port $udp_services
 	<para>To most users, a single machine setup will be of limited
 	  interest, and at this point we move on to more realistic or
 	  at least more common setups, concentrating on a machine
-	  which is running <acronym>PF</acronym> and also acts as a
+	  which is running <application>PF</application> and also acts as a
 	  gateway for at least one other machine.</para>
 
 	<sect4 xml:id="pftut-gwpitfalls">
@@ -851,7 +851,7 @@ pass from { lo0, $localnet } to any keep
 	    relationships between the rules in a rule set.  The rules
 	    are evaluated from top to bottom, in the sequence they are
 	    written in the configuration file.  For each packet or
-	    connection evaluated by <acronym>PF</acronym>,
+	    connection evaluated by <application>PF</application>,
 	    <emphasis>the last matching rule</emphasis> in the rule
 	    set is the one which is applied.  The
 	    <literal>quick</literal> keyword offers an escape from the
@@ -928,7 +928,7 @@ pass from { lo0, $localnet } to any keep
 	    gateway is amazingly simple, thanks to the
 	    <acronym>FTP</acronym> proxy program (called
 	    &man.ftp-proxy.8;) included in the base system on &os; and
-	    other systems which offer <acronym>PF</acronym>.</para>
+	    other systems which offer <application>PF</application>.</para>
 
 	  <para>The <acronym>FTP</acronym> protocol being what it is,
 	    the proxy needs to dynamically insert rules in your rule
@@ -944,7 +944,7 @@ pass from { lo0, $localnet } to any keep
 
 	  <para>Starting the proxy manually by running
 	    <command>/usr/sbin/ftp-proxy</command> allows testing of
-	    the <acronym>PF</acronym> configuration changes we are
+	    the <application>PF</application> configuration changes we are
 	    about to make.</para>
 
 	  <para>For a basic configuration, only three elements need to
@@ -1006,7 +1006,7 @@ rdr-anchor "ftp-proxy/*"</programlisting
 	    page.</para>
 
 	  <para>For ways to run an <acronym>FTP</acronym> server
-	    protected by <acronym>PF</acronym> and &man.ftp-proxy.8;,
+	    protected by <application>PF</application> and &man.ftp-proxy.8;,
 	    look into running a separate <command>ftp-proxy</command>
 	    in reverse mode (using <option>-R</option>), on a separate
 	    port with its own redirecting pass rule.</para>
@@ -1099,7 +1099,7 @@ pass inet proto icmp from any to $ext_if
 
 	  <para>Stopping probes at the gateway might be an attractive
 	    option anyway, but let us have a look at a few other
-	    options which will show some of <acronym>PF</acronym>'s
+	    options which will show some of <application>PF</application>'s
 	    flexibility.</para>
 	</sect4>
 
@@ -1166,7 +1166,7 @@ pass out on $ext_if inet proto udp from 
 	    places from <link
 	      xlink:href="http://marc.theaimsgroup.com/">http://marc.theaimsgroup.com/</link>),
 	    to be a very valuable resource whenever you need OpenBSD
-	    or <acronym>PF</acronym> related information.</para>
+	    or <application>PF</application> related information.</para>
 	</sect4>
 
 	<sect4 xml:id="pftut-pathmtudisc">
@@ -1207,7 +1207,7 @@ pass out on $ext_if inet proto udp from 
 
 	  <programlisting>pass inet proto icmp all icmp-type $icmp_types keep state</programlisting>
 
-	  <para><acronym>PF</acronym> allows filtering on all
+	  <para><application>PF</application> allows filtering on all
 	    variations of <acronym>ICMP</acronym> types and codes.
 	    For those who want to delve into what to pass (or not) of
 	    <acronym>ICMP</acronym> traffic, the list of possible
@@ -1235,7 +1235,7 @@ pass out on $ext_if inet proto udp from 
 	  and rigid.  There will after all be some kinds of data which
 	  are relevant to filtering and redirection at a given time,
 	  but do not deserve to be put into a configuration file!
-	  Quite right, and <acronym>PF</acronym> offers mechanisms for
+	  Quite right, and <application>PF</application> offers mechanisms for
 	  handling these situations as well.  Tables are one such
 	  feature, mainly useful as lists which can be manipulated
 	  without needing to reload the entire rule set, and where
@@ -1323,7 +1323,7 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
 	  22222 for a repeat performance.</para>
 
 	<para>Since OpenBSD 3.7, and soon after in &os; version 6.0,
-	  <acronym>PF</acronym> has offered a slightly more elegant
+	  <application>PF</application> has offered a slightly more elegant
 	  solution.  Pass rules can be written so they maintain
 	  certain limits on what connecting hosts can do.  For good
 	  measure, violators can be banished to a table of addresses
@@ -1488,10 +1488,10 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
       </sect3>
 
       <sect3 xml:id="pftut-tools">
-	<title>Other <acronym>PF</acronym> Tools</title>
+	<title>Other <application>PF</application> Tools</title>
 
 	<para>Over time, a number of tools have been developed which
-	  interact with <acronym>PF</acronym> in various ways.</para>
+	  interact with <application>PF</application> in various ways.</para>
 
 	<sect4 xml:id="pftut-pftop">
 	  <title>The <application>pftop</application> Traffic
@@ -1514,11 +1514,11 @@ Sep 26 03:12:44 skapet sshd[24703]: Fail
 	  <para>Not to be confused with the
 	    <application>spamd</application> daemon which comes
 	    bundled with <application>spamassassin</application>, the
-	    <acronym>PF</acronym> companion
+	    <application>PF</application> companion
 	    <application>spamd</application> was designed to run on a
 	    PF gateway to form part of the outer defense against spam.
 	    <application>spamd</application> hooks into the
-	    <acronym>PF</acronym> configuration via a set of
+	    <application>PF</application> configuration via a set of
 	    redirections.</para>
 
 	  <para>The main point underlying the
@@ -1819,7 +1819,7 @@ rdr pass on $ext_if inet proto tcp from 
 	      can be set in the <literal>options</literal> part of the
 	      ruleset, which precedes the redirection and filtering
 	      rules.  This option determines which feedback, if any,
-	      <acronym>PF</acronym> will give to hosts which try to
+	      <application>PF</application> will give to hosts which try to
 	      create connections which are subsequently blocked.  The
 	      option has two possible values, <literal>drop</literal>,
 	      which drops blocked packets with no feedback, and
@@ -1838,7 +1838,7 @@ rdr pass on $ext_if inet proto tcp from 
 	  <sect5 xml:id="pftut-scrub">
 	    <title><literal>scrub</literal></title>
 
-	    <para>In <acronym>PF</acronym> versions up to OpenBSD 4.5
+	    <para>In <application>PF</application> versions up to OpenBSD 4.5
 	      inclusive, <literal>scrub</literal> is a keyword which
 	      enables network packet normalization, causing fragmented
 	      packets to be assembled and removing ambiguity.
@@ -1853,7 +1853,7 @@ rdr pass on $ext_if inet proto tcp from 
 
 	    <para>Some services, such as NFS, require some specific
 	      fragment handling options.  This is extensively
-	      documented in the <acronym>PF</acronym> user guide and
+	      documented in the <application>PF</application> user guide and
 	      man pages provide all the information you could
 	      need.</para>
 


More information about the svn-doc-all mailing list