svn commit: r44054 - head/en_US.ISO8859-1/books/handbook/firewalls
Dru Lavigne
dru at FreeBSD.org
Tue Feb 25 17:59:17 UTC 2014
Author: dru
Date: Tue Feb 25 17:59:16 2014
New Revision: 44054
URL: http://svnweb.freebsd.org/changeset/doc/44054
Log:
Initial prep work for IPFW section so that it starts to match layout
of other firewall sections.
Many more commits to come.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:38:33 2014 (r44053)
+++ head/en_US.ISO8859-1/books/handbook/firewalls/chapter.xml Tue Feb 25 17:59:16 2014 (r44054)
@@ -1639,10 +1639,6 @@ block drop out quick on $ext_if from any
<programlisting>net.inet.ip.fw.verbose=1
net.inet.ip.fw.verbose_limit=5</programlisting>
- </sect2>
-
- <sect2 xml:id="firewalls-ipfw-kernel">
- <title>Kernel Options</title>
<indexterm>
<primary>kernel options</primary>
@@ -1720,12 +1716,8 @@ net.inet.ip.fw.verbose_limit=5</programl
option or a rule to explicitly allow these connections is
missing.</para>
</note>
- </sect2>
- <sect2 xml:id="firewalls-ipfw-rc">
- <title><filename>/etc/rc.conf</filename> Options</title>
-
- <para>Enables the firewall:</para>
+ <para>The following <filename>/etc/rc.conf</filename> option enables the firewall:</para>
<programlisting>firewall_enable="YES"</programlisting>
@@ -1876,7 +1868,7 @@ ipfw add deny out</programlisting>
</sect2>
<sect2 xml:id="firewalls-ipfw-rules">
- <title>IPFW Rulesets</title>
+ <title>IPFW Rule Syntax</title>
<indexterm>
<primary>IPFW</primary>
@@ -1907,14 +1899,6 @@ ipfw add deny out</programlisting>
<literal>via</literal> options. For a complete rule syntax
description, refer to &man.ipfw.8;.</para>
- <warning>
- <para>Be careful when working with firewall rules, as it is
- easy to lock out even the administrator.</para>
- </warning>
-
- <sect3 xml:id="firewalls-ipfw-rules-syntax">
- <title>Rule Syntax</title>
-
<indexterm>
<primary>IPFW</primary>
@@ -1930,25 +1914,28 @@ ipfw add deny out</programlisting>
<para><replaceable>CMD RULE_NUMBER ACTION LOGGING SELECTION
STATEFUL</replaceable></para>
- <sect4>
- <title>CMD</title>
-
+ <variablelist>
+ <varlistentry>
+ <term>CMD</term>
+ <listitem>
<para>Each new rule has to be prefixed with
<parameter>add</parameter> to add the rule to the internal
table.</para>
- </sect4>
-
- <sect4>
- <title>RULE_NUMBER</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>RULE_NUMBER</term>
+ <listitem>
<para>Each rule is associated with a rule_number in the
range of <literal>1</literal> to
<literal>65535</literal>.</para>
- </sect4>
-
- <sect4>
- <title>ACTION</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>ACTION</term>
+ <listitem>
<para>A rule can be associated with one of the following
actions. The specified action will be executed when the
packet matches the selection criterion of the rule.</para>
@@ -1977,11 +1964,12 @@ ipfw add deny out</programlisting>
<para>Both words mean the same thing, which is to discard
packets that match this rule. The search
terminates.</para>
- </sect4>
-
- <sect4>
- <title>Logging</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Logging</term>
+ <listitem>
<para>When a packet matches a rule with the
<literal>log</literal> keyword, a message will be logged
to &man.syslogd.8; with a facility name of
@@ -2002,11 +1990,12 @@ ipfw add deny out</programlisting>
final action on the packet. The administrator decides
which rules to enable logging on.</para>
</note>
- </sect4>
-
- <sect4>
- <title>Selection</title>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Selection</term>
+ <listitem>
<para>The keywords described in this section are used to
describe attributes of the packet to be checked when
determining whether rules match the packet or not.
@@ -2087,18 +2076,12 @@ ipfw add deny out</programlisting>
specified. <literal>limit</literal> and
<literal>keep-state</literal> can not be used on the same
rule as they provide the same stateful function.</para>
- </sect4>
- </sect3>
-
- <sect3>
- <title>Stateful Rule Option</title>
-
- <indexterm>
- <primary>IPFW</primary>
-
- <secondary>stateful filtering</secondary>
- </indexterm>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>Stateful Rule Option</term>
+ <listitem>
<para>The <literal>check-state</literal> option is used to
identify where in the IPFW ruleset the packet is to be
tested against the dynamic rules facility. On a match, the
@@ -2119,7 +2102,9 @@ ipfw add deny out</programlisting>
combination occurred. If this count is greater than the
value specified by <literal>limit</literal>, the packet is
discarded.</para>
- </sect3>
+ </listitem>
+ </varlistentry>
+ </variablelist>
<sect3>
<title>Logging Firewall Messages</title>
More information about the svn-doc-all
mailing list