svn commit: r44051 - head/en_US.ISO8859-1/books/handbook/firewalls

Dru Lavigne dru at FreeBSD.org
Tue Feb 25 15:57:18 UTC 2014 

Author: dru
Date: Tue Feb 25 15:57:17 2014
New Revision: 44051
URL: http://svnweb.freebsd.org/changeset/doc/44051

Log:
  Finish editorial pass through IPF NAT.
  Comment out symbolic substitution section for now.
  It is confusing as written and may no longer be needed with IPF's new syntax.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Tue Feb 25 12:09:06 2014	(r44050)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml	Tue Feb 25 15:57:17 2014	(r44051)
@@ -2334,20 +2334,17 @@ map dc0 192.168.1.0/24 -> 204.134.75.
 	This eliminates the need to open large ranges of high order
 	ports for <acronym>FTP</acronym> connections.</para>
 
-      <para>This rule will handle all the traffic for the internal
-	LAN:</para>
-
-      <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp</programlisting>
-
-      <para>This rule handles the <acronym>FTP</acronym> traffic from
-	the gateway:</para>
-
-      <programlisting>map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp</programlisting>
-
-      <para>This rule handles all non-<acronym>FTP</acronym> traffic
-	from the internal LAN:</para>
-
-      <programlisting>map dc0 10.0.10.0/29 -> 0/32</programlisting>
+      <para>In this example, the first rule calls the proxy for
+	outbound <acronym>FTP</acronym> traffic from the internal
+	<acronym>LAN</acronym>.  The second rule passes the
+	<acronym>FTP</acronym> traffic from the firewall to the
+	Internet, and the third rule handles all
+	non-<acronym>FTP</acronym> traffic from the internal
+	<acronym>LAN</acronym>:</para>
+
+      <programlisting>map dc0 10.0.10.0/29 -> 0/32 proxy port 21 ftp/tcp
+map dc0 0.0.0.0/0 -> 0/32 proxy port 21 ftp/tcp
+map dc0 10.0.10.0/29 -> 0/32</programlisting>
 
       <para>The <acronym>FTP</acronym> <literal>map</literal> rules go
 	before the <acronym>NAT</acronym> rule so that when a packet
@@ -2359,12 +2356,9 @@ map dc0 192.168.1.0/24 -> 204.134.75.
 	<acronym>FTP</acronym> rules but will undergo
 	<acronym>NAT</acronym> if they match the third rule.</para>
 
-      <para>Only one filter rule is needed for <acronym>FTP</acronym>
-	if the <acronym>NAT</acronym> <acronym>FTP</acronym> proxy is
-	used.</para>
-
       <para>Without the <acronym>FTP</acronym> proxy, the following
-	three rules will be needed:</para>
+	firewall rules would instead be needed.  Note that without the proxy,
+	all ports above <literal>1024</literal> need to be allowed:</para>
 
       <programlisting># Allow out LAN PC client FTP to public Internet
 # Active and passive modes
@@ -2376,35 +2370,32 @@ pass out quick on rl0 proto tcp from any
 # Active mode let data channel in from FTP server
 pass in quick on rl0 proto tcp from any to any port = 20 flags S keep state</programlisting>
 
-      <para>When the file containing the <acronym>NAT</acronym> rules
-	is edited after <acronym>NAT</acronym> has been started, run
+      <para>Whenever the file containing the <acronym>NAT</acronym> rules
+	is edited, run
 	<command>ipnat</command> with <option>-CF</option> to delete
-	the internal in use <acronym>NAT</acronym> rules and flush the
-	contents of the translation table of all active
-	entries.</para>
-
-      <para>To reload the <acronym>NAT</acronym> rules, issue a
-	command like this:</para>
+	the current <acronym>NAT</acronym> rules and flush the
+	contents of the dynamic translation table.  Include
+	<option>-f</option> and specify the name
+	of the <acronym>NAT</acronym> ruleset to load:</para>
 
-      <screen>&prompt.root; <userinput>ipnat -CF -f
-	  /etc/ipnat.rules</userinput></screen>
+      <screen>&prompt.root; <userinput>ipnat -CF -f /etc/ipnat.rules</userinput></screen>
 
-      <para>To display some <acronym>NAT</acronym> statistics, use
-	this command:</para>
+      <para>To display the <acronym>NAT</acronym> statistics:</para>
 
       <screen>&prompt.root; <userinput>ipnat -s</userinput></screen>
 
       <para>To list the <acronym>NAT</acronym> table's current
-	mappings, use this command:</para>
+	mappings:</para>
 
       <screen>&prompt.root; <userinput>ipnat -l</userinput></screen>
 
       <para>To turn verbose mode on and display information relating
-	to rule processing and active rules/table entries:</para>
+	to rule processing and active rules and table entries:</para>
 
       <screen>&prompt.root; <userinput>ipnat -v</userinput></screen>
     </sect2>
-
+<!--
+This section is confusing and may no longer be needed with new syntax.
     <sect2 xml:id="firewalls-ipf-rules-script">
       <title>Building the Rule Script with Symbolic
 	Substitution</title>
@@ -2515,7 +2506,7 @@ sh /etc/ipf.rules.script</programlisting
       <para>Now, when the system boots, the IPF rules will be
 	loaded.</para>
     </sect2>
-
+    -->
     <sect2>
       <title>IPFSTAT</title>

More information about the svn-doc-all mailing list