svn commit: r43926 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Fri Feb 14 18:45:04 UTC 2014
Author: dru
Date: Fri Feb 14 18:45:03 2014
New Revision: 43926
URL: http://svnweb.freebsd.org/changeset/doc/43926
Log:
Continue to shuffle and improve flow of this chapter.
Many more commits to come.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 17:29:44 2014 (r43925)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Fri Feb 14 18:45:03 2014 (r43926)
@@ -218,17 +218,39 @@
<application>ALTQ</application> (Alternate Queuing), which
provides Quality of Service (<acronym>QoS</acronym>).</para>
- <para>Since the OpenBSD Project maintains the definitive
+ <para>The OpenBSD Project maintains the definitive
reference for <application>PF</application> in the <link
- xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
- this section of the Handbook focuses on
- <application>PF</application> as it pertains to &os;, while
- providing some general usage information.</para>
+ xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>.
+ Peter Hansteen maintains a thorough <application>PF</application> tutorial at <link
+ xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
+
+ <warning>
+ <para>When reading the <link
+ xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
+ keep in mind that different versions of &os; contain
+ different versions of <application>PF</application>.
+ &os; 8.<replaceable>X</replaceable> uses the same
+ version of <application>PF</application> as
+ OpenBSD 4.1 and &os; 9.<replaceable>X</replaceable>
+ and later uses the same version of
+ <application>PF</application> as OpenBSD 4.5.</para>
+ </warning>
+
+ <para>The &a.pf; is a good place to ask questions about
+ configuring and running the <application>PF</application>
+ firewall. Check the mailing list archives
+ before asking a question as it may have already been answered.</para>
<para>More information about porting <application>PF</application>
to &os; can be found at <uri
xlink:href="http://pf4freebsd.love2party.net/">http://pf4freebsd.love2party.net/</uri>.</para>
+ <para>This section of the Handbook focuses on
+ <application>PF</application> as it pertains to &os;. It
+ demonstrates how to enable <application>PF</application> and
+ <application>ALTQ</application>. It then provides several
+ examples for creating rulesets on a &os; system.</para>
+
<sect2>
<title>Enabling <application>PF</application></title>
@@ -260,12 +282,6 @@
<programlisting>pf_rules="<replaceable>/path/to/pf.conf</replaceable>"</programlisting>
- <para>The sample <filename>pf.conf</filename>
- can be found in
- <filename>/usr/share/examples/pf/</filename>. The rest of
- this chapter demonstrates how to create a custom
- ruleset.</para>
-
<para>Logging support for <application>PF</application> is
provided by &man.pflog.4;. To enable logging support, add
this line to <filename>/etc/rc.conf</filename>:</para>
@@ -344,6 +360,78 @@ device pfsync</programlisting>
<quote>state changes</quote>.</para>
</note>
-->
+
+ <para>By default, <application>PF</application> reads its
+ configuration rules from <filename>/etc/pf.conf</filename> and
+ modifies, drops, or passes packets according to the rules or
+ definitions specified in this file. The &os; installation
+ includes several sample files located in
+ <filename>/usr/share/examples/pf/</filename>. Refer to the
+ <link xlink:href="http://www.openbsd.org/faq/pf/">PF
+ FAQ</link> for complete coverage of
+ <application>PF</application> rulesets.</para>
+
+ <para>To control <application>PF</application>, use
+ <command>pfctl</command>. <xref
+ linkend="pfctl"/> summarizes some useful options to this command.
+ Refer to &man.pfctl.8; for a description of all available
+ options:</para>
+
+ <table xml:id="pfctl" frame="none" pgwide="1">
+ <title>Useful <command>pfctl</command> Options</title>
+
+ <tgroup cols="2">
+ <thead>
+ <row>
+ <entry>Command</entry>
+ <entry>Purpose</entry>
+ </row>
+ </thead>
+
+ <tbody>
+ <row>
+ <entry><command>pfctl
+ -e</command></entry>
+ <entry>Enable <application>PF</application>.</entry>
+ </row>
+
+ <row>
+ <entry><command>pfctl
+ -d</command></entry>
+ <entry>Disable <application>PF</application>.</entry>
+ </row>
+
+ <row>
+ <entry><command>pfctl -F all
+ -f /etc/pf.conf</command></entry>
+ <entry>Flush all <acronym>NAT</acronym>, filter, state, and table
+ rules and reload
+ <filename>/etc/pf.conf</filename>.</entry>
+ </row>
+
+ <row>
+ <entry><command>pfctl -s [ rules | nat
+ state ]</command></entry>
+ <entry>Report on the filter rules, <acronym>NAT</acronym> rules, or state
+ table.</entry>
+ </row>
+
+ <row>
+ <entry><command>pfctl -vnf
+ /etc/pf.conf</command></entry>
+ <entry>Check <filename>/etc/pf.conf</filename> for
+ errors, but do not load ruleset.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
+
+ <tip>
+ <para><package>security/sudo</package> is useful for running
+ commands like <command>pfctl</command> that require elevated
+ privileges. It can be installed from the Ports
+ Collection.</para>
+ </tip>
</sect2>
<sect2>
@@ -434,93 +522,9 @@ options ALTQ_PRIQ # Priori
xlink:href="http://www.openbsd.org/faq/pf/queueing.html">http://www.openbsd.org/faq/pf/queueing.html</uri>.</para>
</sect2>
- <sect2>
- <title>Creating Filtering Rules</title>
-
- <para>By default, <application>PF</application> reads its
- configuration rules from <filename>/etc/pf.conf</filename> and
- modifies, drops, or passes packets according to the rules or
- definitions specified in this file. The &os; installation
- includes several sample files located in
- <filename>/usr/share/examples/pf/</filename>. Refer to the
- <link xlink:href="http://www.openbsd.org/faq/pf/">PF
- FAQ</link> for complete coverage of
- <application>PF</application> rulesets.</para>
-
- <warning>
- <para>When reading the <link
- xlink:href="http://www.openbsd.org/faq/pf/">PF FAQ</link>,
- keep in mind that different versions of &os; contain
- different versions of PF. Currently,
- &os; 8.<replaceable>X</replaceable> is using the same
- version of <application>PF</application>
- OpenBSD 4.1. &os; 9.<replaceable>X</replaceable>
- and later is using the same version of
- <application>PF</application> as OpenBSD 4.5.</para>
- </warning>
-
- <para>The &a.pf; is a good place to ask questions about
- configuring and running the <application>PF</application>
- firewall. Do not forget to check the mailing list archives
- before asking questions.</para>
-
- <para>To control <application>PF</application>, use
- &man.pfctl.8;. Below are some useful options to this command.
- Review &man.pfctl.8; for a description of all available
- options:</para>
-
- <informaltable frame="none" pgwide="1">
- <tgroup cols="2">
- <thead>
- <row>
- <entry>Command</entry>
- <entry>Purpose</entry>
- </row>
- </thead>
-
- <tbody>
- <row>
- <entry><command>pfctl
- -e</command></entry>
- <entry>Enable PF.</entry>
- </row>
-
- <row>
- <entry><command>pfctl
- -d</command></entry>
- <entry>Disable PF.</entry>
- </row>
-
- <row>
- <entry><command>pfctl -F all
- -f /etc/pf.conf</command></entry>
- <entry>Flush all NAT, filter, state, and table
- rules and reload
- <filename>/etc/pf.conf</filename>.</entry>
- </row>
-
- <row>
- <entry><command>pfctl -s [ rules | nat
- state ]</command></entry>
- <entry>Report on the filter rules, NAT rules, or state
- table.</entry>
- </row>
-
- <row>
- <entry><command>pfctl -vnf
- /etc/pf.conf</command></entry>
- <entry>Check <filename>/etc/pf.conf</filename> for
- errors, but do not load ruleset.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
- </sect2>
-
<sect2 xml:id="pf-tutorial">
<info>
- <title><application>PF</application> Rule Sets and
- Tools</title>
+ <title><application>PF</application> Rulesets</title>
<authorgroup>
<author>
@@ -534,21 +538,8 @@ options ALTQ_PRIQ # Priori
</authorgroup>
</info>
- <para>This section demonstrates some useful
- <application>PF</application> features and
- <application>PF</application> related tools in a series of
- examples. A more thorough tutorial is available at <link
- xlink:href="http://home.nuug.no/~peter/pf/">http://home.nuug.no/~peter/pf/</link>.</para>
-
- <tip>
- <para><package>security/sudo</package> is useful for running
- commands like <command>pfctl</command> that require elevated
- privileges. It can be installed from the Ports
- Collection.</para>
- </tip>
-
- <sect3 xml:id="pftut-simplest">
- <title>The Simplest Rule Set Ever</title>
+ <para>This section demonstrates how to create a customized
+ ruleset, using several examples.</para>
<para>The simplest possible setup is for a single machine
which will not run any services, and which will talk to one
@@ -566,10 +557,6 @@ pass out all keep state</programlisting>
trusted. The rule set can be loaded with</para>
<screen>&prompt.root; <userinput>pfctl -e ; pfctl -f /etc/pf.conf</userinput></screen>
- </sect3>
-
- <sect3>
- <title>Tighter and More Elegant</title>
<para>For a slightly more structured and complete setup, we
start by denying everything and then allowing only those
@@ -653,7 +640,6 @@ pass proto udp to any port $udp_services
exactly the way they will be loaded. This is extremely
useful when debugging rules.</para>
</tip>
- </sect3>
<sect3 xml:id="pftut-gateway">
<title>A Simple Gateway with NAT</title>
@@ -664,10 +650,6 @@ pass proto udp to any port $udp_services
which is running <application>PF</application> and also acts
as a gateway for at least one other machine.</para>
- <sect4 xml:id="pftut-gwpitfalls">
- <title>Gateways and the Pitfalls of <literal>in</literal>,
- <literal>out</literal> and <literal>on</literal></title>
-
<para>In the single machine setup, life is relatively
simple. Traffic created on it should either pass out to
the rest of the world or not, and the administrator
@@ -724,7 +706,6 @@ pass proto udp to any port $udp_services
<para>For the remainder of this section, with some
exceptions, we will keep the rules as simple as possible
for readability.</para>
- </sect4>
<sect4 xml:id="pftut-whatsthelocalnet">
<title>What is the Local Network, Anyway?</title>
More information about the svn-doc-all
mailing list