svn commit: r43916 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Fri Feb 14 01:30:44 UTC 2014
Author: dru
Date: Fri Feb 14 01:30:43 2014
New Revision: 43916
URL: http://svnweb.freebsd.org/changeset/doc/43916
Log:
Finish subsection on enabling PF.
Comment out pfsync section for now as it is no longer true. At some point
a section should be adding demonstrating how to use it.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 00:15:36 2014 (r43915)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 01:30:43 2014 (r43916)
@@ -232,24 +232,27 @@
<sect2>
<title>Enabling <application>PF</application></title>
- <para>In order to use <application>PF</application>, its module must be first
- loaded. Add the following line to
+ <para>In order to use <application>PF</application>, its kernel module must be first
+ loaded. This section describes the entries that can be added
+ to <filename>/etc/rc.conf</filename> in order to enable
+ <application>PF</application>.</para>
+
+ <para>Start by adding the following line to
<filename>/etc/rc.conf</filename>:</para>
<programlisting>pf_enable="YES"</programlisting>
- <para>Additional options can be passed to
- <application>PF</application> when it is started. Refer to
- &man.pfctl.8; for the available options and specify any
- required flags by
- adding another entry to <filename>/etc/rc.conf</filename>:</para>
+ <para>Additional options, described in &man.pfctl.8;, can be passed to
+ <application>PF</application> when it is started. Add this entry to
+ <filename>/etc/rc.conf</filename> and specify any
+ required flags between the two quotes (<literal>""</literal>):</para>
<programlisting>pf_flags="" # additional flags for pfctl startup</programlisting>
- <para>The module will not load if it cannot find the
- ruleset configuration file. A default ruleset is located
- <filename>/etc/pf.conf</filename>. If a custom ruleset is
- located somewhere else, add a line to
+ <para><application>PF</application> will not start if it cannot find its
+ ruleset configuration file. The default ruleset is already created and is named
+ <filename>/etc/pf.conf</filename>. If a custom ruleset has
+ been saved somewhere else, add a line to
<filename>/etc/rc.conf</filename> which specifies the full
path to the file:</para>
@@ -260,33 +263,35 @@
<filename>/usr/share/examples/pf/</filename>. The rest of
this chapter demonstrates how to create a custom ruleset.</para>
- <para>Then, run the startup script to load the module:</para>
-
- <screen>&prompt.root; <userinput>service pf start</userinput></screen>
<para>Logging support for <application>PF</application> is provided by
- &man.pflog.4; which can be loaded by adding the
- following line to <filename>/etc/rc.conf</filename>:</para>
+ &man.pflog.4;. To enable logging support, add this
+ line to <filename>/etc/rc.conf</filename>:</para>
<programlisting>pflog_enable="YES"</programlisting>
- <para>The following &man.rc.conf.5; statements can also be used to
+ <para>The following lines can also be added in order to
change the default location of the log file or to specify any
- additional flags:</para>
+ additional flags to pass to &man.pflog.4; when it is started:</para>
<programlisting>pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_flags="" # additional flags for pflogd startup</programlisting>
- <para>Save the edits, then run the startup script to load the logging module:</para>
-
- <screen>&prompt.root; <userinput>service pflog start</userinput></screen>
-
- <para>If there is a <acronym>LAN</acronym> behind the firewall and packets need to
+ <para>Finally, if there is a <acronym>LAN</acronym> behind the firewall and packets need to
be forwarded for the computers on the <acronym>LAN</acronym>, or <acronym>NAT</acronym> is required,
add the following option:</para>
<programlisting>gateway_enable="YES" # Enable as LAN gateway</programlisting>
- <indexterm>
+ <para>After saving the needed edits,
+ <application>PF</application> can be started with logging support by typing:</para>
+
+ <screen>&prompt.root; <userinput>service pf start</userinput>
+&prompt.root; <userinput>service pflog start</userinput></screen>
+
+<!--
+This is no longer true as of 9.x. It also references the CARP section
+which doesn't explain how to use it...At some point it should.
+ <indexterm>
<primary>kernel options</primary>
<secondary>device pf</secondary>
</indexterm>
@@ -304,8 +309,7 @@ pflog_flags="" # additi
<note>
<para>While it is not necessary to compile
<application>PF</application> support into the &os; kernel,
- some of PF's advanced features are not included in the
- loadable module, namely &man.pfsync.4;, which is a
+ some advanced features are not included, namely &man.pfsync.4;, which is a
pseudo-device that exposes certain changes to the state table
used by <application>PF</application>. It can be paired with
&man.carp.4; to create failover firewalls using
@@ -319,6 +323,8 @@ pflog_flags="" # additi
device pflog
device pfsync</programlisting>
+ <para>where:</para>
+
<para><literal>device pf</literal> enables PF support.</para>
<para><literal>device pflog</literal> enables the optional
@@ -331,6 +337,7 @@ device pfsync</programlisting>
&man.pfsync.4; pseudo-network device that is used to monitor
<quote>state changes</quote>.</para>
</note>
+ -->
</sect2>
<sect2>
More information about the svn-doc-all
mailing list